Reported July 18, 2003, by Mark Litchfield.
Witango and Tango 2000 Application Server
A buffer-overrun condition in Witango and Tango 2000 Application Server can result in remote compromise of the vulnerable host. If a malicious user passes a long cookie to Witango_UserReference, the saved return address is overwritten on the stack. Because Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM.
The discoverer posted the following scenario as proof of concept:
GET /ngssoftware.tml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, */*
Accept-Language: en-gb User-Agent: My Browser Host: ngssoftware.com
Connection: Keep-Alive Cookie: Witango_UserReference= parameter length
Witango has corrected this problem and recommends that affected customers download the latest build from its Web site.
Discovered by NGSSoftware.