Reported July 18, 2003, by Mark Litchfield.
Witango and Tango 2000 Application Server
A buffer-overrun condition in Witango and Tango 2000 Application Server can result in remote compromise of the vulnerable host. If a malicious user passes a long cookie to Witango_UserReference, the saved return address is overwritten on the stack. Because Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM.
<span style="font-family:Verdana"> </h3>
The discoverer posted the following scenario as proof of concept:
GET /ngssoftware.tml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/msword, application/x-shockwave-flash, */*
Accept-Language: en-gb User-Agent: My Browser Host: ngssoftware.com
Connection: Keep-Alive Cookie: Witango_UserReference= parameter length
Witango has corrected this problem and recommends that affected customers download the latest build from its Web site.
Discovered by NGSSoftware.