Reported July 18, 2003, by Mark Litchfield.

VERSION AFFECTED

  • Witango and Tango 2000 Application Server

 

DESCRIPTION

 

A buffer-overrun condition in Witango and Tango 2000 Application Server can result in remote compromise of the vulnerable host. If a malicious user passes a long cookie to Witango_UserReference, the saved return address is overwritten on the stack. Because Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM.

<span style="font-family:Verdana"> </h3>

DEMONSTRATION

 

The discoverer posted the following scenario as proof of concept:

 

GET /ngssoftware.tml HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/vnd.ms-excel, application/vnd.ms-powerpoint,

application/msword, application/x-shockwave-flash, */*

Accept-Language: en-gb User-Agent: My Browser Host: ngssoftware.com

Connection: Keep-Alive Cookie: Witango_UserReference= parameter length

2864

 

VENDOR RESPONSE

 

Witango has corrected this problem and recommends that affected customers download the latest build from its Web site.

 

CREDIT
Discovered by NGSSoftware.