Reported July 18, 2003, by Mark Litchfield.

VERSION AFFECTED

  • Witango and Tango 2000 Application Server

 

DESCRIPTION

 

A buffer-overrun condition in Witango and Tango 2000 Application Server can result in remote compromise of the vulnerable host. If a malicious user passes a long cookie to Witango_UserReference, the saved return address is overwritten on the stack. Because Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM.

 

DEMONSTRATION

 

The discoverer posted the following scenario as proof of concept:

 

GET /ngssoftware.tml HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/vnd.ms-excel, application/vnd.ms-powerpoint,

application/msword, application/x-shockwave-flash, */*

Accept-Language: en-gb User-Agent: My Browser Host: ngssoftware.com

Connection: Keep-Alive Cookie: Witango_UserReference= parameter length

2864

 

VENDOR RESPONSE

 

Witango has corrected this problem and recommends that affected customers download the latest build from its Web site.

 

CREDIT
Discovered by NGSSoftware.