Bugtraq mailing list archives
Re: Infoseek Ultraseek Remote Buffer Overflow
From: Marc () EEYE COM (Marc)
Date: Thu, 16 Dec 1999 13:07:27 -0800
Something we failed to mention, which is rather important, is that only the NT version of Ultraseek is affected. Signed, Marc eEye Digital Security Team http://www.eEye.com | -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of | luciano | Sent: Thursday, December 16, 1999 12:49 AM | To: BUGTRAQ () SECURITYFOCUS COM | Subject: Infoseek Ultraseek Remote Buffer Overflow | | | USSR & eEye DS Present: | | Infoseek Ultraseek 3.1 Remote Buffer Overflow | | USSR Advisory Code: 20 | eEye DS Advisory Code: AD19991215 | | Release Date: | December 15, 1999 | | Systems Affected: | Infoseek Ultraseek 2.1 to 3.1 and possibly others. | | The Opener: | T1 Internet Connection: $1,000/month | Dell PowerEdge 4350 Server: $4,307 | 10k Doc. license for Ultraseek 3.1: $4,995 | Brand new office in silicon valley: $10,000/month | | The look on your CEO's face when you get hacked: Priceless. | | About The Software: | Ultraseek is Infoseek Corporation's search engine software. The power and | flexibility of Ultraseek allow it to be used by a variety of business's. | >From the small mom and pop shops to companies even as large as Infoseek | themselves. You've heard of go.com by now, haven't you? | | Description: | | This advisory, although a rather nasty one, will be pretty small. | We are not | going to get into the mechanics of buffer overflows since the subject has | been talked about a lot. If you would like to learn more about what a | buffer overflow is we suggest the following links: | http://www.l0pht.com/advisories/bufero.html | http://arden.iss.net/~msells/docs/smashstack.txt | http://www.cultdeadcow.com/cDc_files/cDc-351/ | http://www.beavuh.org/dox/win32_oflow.txt | | By default the Ultraseek search engine listens on port 8765 and provides a | HTTP interface to allow internet/intranet users to search a server for | documents pertaining to their search keywords. | | To identify a vulnerable server you would do the following: | C:\>telnet www.example.com 8765 | send-> HEAD / HTTP/1.0 | | recv-> HTTP/1.0 200 OK | recv-> Server: Ultraseek/3.1 Python/1.5.1 | recv-> Date: Thu, XX Dec 1999 23:59:42 GMT | recv-> Content-type: text/html | recv-> Content-length: 0 | | Ultraseek 3.1 is the current version of Ultraseek as of the | writing of this | advisory. We have tested versions as old as 2.1. So while we are not | positive, we are pretty sure every version of Ultraseek prior to 3.1 is | vulnerable. | | The overflow occurs in the HTTP Get command. To DoS (Denial of | Service) the | server you would do the following: | C:\>telnet www.example.com 8765 | GET /[overflow]/ HTTP/1.0 | <enter> | <enter> | | At this point one of the two pyseekd.exe (Ultraseek Server Process) will | drop and reinitialize. Since it is a service you will never get an on | screen memory error. Also you will not even really notice the process drop | and reload but if you look closely when you DoS the server one of the two | pyseekd.exe process's will now have a new PID. | | This is just like any typical buffer overflow and it is exploitable. To | download a proof of concept exploit, go to: | http://www.ussrback.com/ | http://www.eeye.com/ | Note: The example will just create a file called ussreeye.txt in whatever | the current root is. This exploit has only been tested against | Ultraseek 2.1 | for NT Service Pack 5 and NT Service Pack 6. Please do not send us eMail | saying you could not get it to work or things of that nature. If you can't | fix it yourself then most likely you do not need to be using it | in the first | place. | | What gets logged you ask? | Well in the application event log you will see a Warning with the | following | information: "Ultraseek Server: Warning: restarted 3.1.4". | In the Ultraseek http access logs (C:\Program | Files\Infoseek\UltraseekServer\data\logs) nothing gets logged. | So when all is said and done unless you have a router log to | match the event | log time with... your left with no way of knowing who did the dirty deed. | | Once again a web service, just like IIS, fails to log a command before it | processes. Any service that takes commands needs to log the command first | and then process it. That way unless there is an overflow in the logging | process we will always know what IP performed the attack. | | This advisory was made possible by a joint effort of USSR (Underground | Security Systems Research) and eEye Digital Security. | | Do you do the w00w00? | This advisory also acts as part of w00giving. This is another contribution | to w00giving for all you w00nderful people out there. You do know what | w00giving is don't you? http://www.w00w00.org/advisories.html | | Vendor Status: | We would like to thank Infoseek for the wonderful way they handled this | advisory. The process went rather perfect, if there is such a thing in the | security world. | | Fix: | http://software.infoseek.com/products/ultraseek/upgrade_nt.htm | ftp://ftp.infoseek.com/pub/software/ultraseek-3.1.5.exe | | Related Links: | | eEye Digital Security | http://www.eEye.ccom | | Retina - The Network Security Scanner | http://www.eEye.com/retina/ | | Underground Security Systems Research | http://www.ussrback.com | | CrunchSp | http://www.ussrback.com/products.html | | Greetings: | Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and | Wiretrip. | | Copyright (c) 1998-1999 eEye Digital Security | Permission is hereby granted for the redistribution of this alert | electronically. It is not to be edited in any way without express consent | of eEye. If you wish to reprint the whole or any part of this | alert in any | other medium excluding electronic medium, please e-mail | alert () eEye com for | permission. | | Disclaimer | The information within this paper may change without notice. Use of this | information constitutes acceptance for use in an AS IS | condition. There are | NO warranties with regard to this information. In no event shall | the author | be liable for any damages whatsoever arising out of or in connection with | the use or spread of this information. Any use of this information is at | the user's own risk. | | Feedback | Please send suggestions, updates, and comments to: | | eEye Digital Security | mail:info () eEye com | http://www.eEye.com | | USSR Labs | mail:labs () ussrback com | http://www.ussrback.com |
Current thread:
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords"), (continued)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Netscape password scrambling Gary McGraw (Dec 20)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
- Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
- (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
- Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
- Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)