DST2K0019: Multiple BufferOverruns in WebBBS v1.17

2000-07-04T00:00:00
ID SECURITYVULNS:DOC:403
Type securityvulns
Reporter Securityvulns
Modified 2000-07-04T00:00:00

Description

============================================================================ Delphis Consulting Plc ============================================================================

                       Security Team Advisories
                           [30/06/2000]

                        securityteam@delphisplc.com
              [http://www.delphisplc.com/thinking/whitepapers/]

============================================================================ Adv : DST2K0019 Title : Multiple BufferOverruns in WebBBS v1.17 Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT v4.0 Workstation (SP5) Product : WebBBS v1.17 Date : 30/06/2000

I. Description

II. Solution

III. Disclaimer

============================================================================

I. Description

Vendor URL: http://www.webbbs.org/

WebBBS fixed a number of bugs which were referenced in DST2K0018, however on release of the new version (19/06/2000) DCIST audited the new version and indeed the issues we released were resolved. How ever Delphis Consulting

Internet Security Team (DCIST) discovered the following new vulnerabilities in WebBBS under Windows NT.

Severity: med

By using a overly long string on the search file system option page it is possible to cause a Denial of Service. The reason this is a Denial of Service rather than a BufferOverrun (which indeed it does cause) is that the EIP is seemingly random when overwrriten (i.e. not byte perfect).

Severity: high

By using the New user sign up form shipped and installed as standard by WebBBS is possible to cause a BufferOverRun in WebBBS. This is done be connecting to port 80 (WebBBS) which the service resides on by default and sending a username. The username has to be a length of 892 + EIP (4 bytes making a total of 896 bytes). This will cause the above application to BufferOverRun over writing EIP. This would allow an attacker to execute arbitrary code.

II. Solution

Vendor Status: Informed

Currently there is no vendor patch available but the following are preventative measures Delphis Consulting Internet Security Team would advise users running this service to implement.

o Remove new user sign up o Remove filesystem search

We have had e-mail confirmation for the WebBBS support team that this will be dealt with once a code audit have been completed to erase any other areas we have not highlighted to them which may also be effected.

III. Disclaimer

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================