Bugtraq mailing list archives

Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717)

From: cst () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Wed, 19 Jul 2000 15:47:07 +0100


Cerberus Information Security Advisory (CISADV000717)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released: 17th July 2000
Name: Website Pro GET buffer overflow
Affected Systems     : Windows NT running Website Pro  2.4
Issue: Remote attackers can execute arbitrary code
Author: David Litchfield (mnemonix () globalnet co uk)

Description
***********
The Cerberus Security Team has discovered a buffer overflow in O'Reilly's
Website Pro 2.4. This overflow can be exploited by an attacker to execute
arbitrary code.

Details
*******
There are many ways to cause this overflow - for example with an overly long
"GET" request or overly long "Referer" client header. The saved return
address is overwritten gaining control of the httpd32.exe process. By
overwriting the return address with an address in memory that contains the
"call ebx" or jmp ebx" it is possible to land back in the user supplied
buffer where exploit code would be placed.

Vendor Status
*************
O'Reilly were informed of this on 23rd of June 2000, and the issue has been
fixed in the 2.5 release available at
http://software.oreilly.com/support/software/wsp2x_updates.cfm.

Solution
********
Download and upgrade to release 2.5.

About Cerberus Information Security, Ltd
*****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 70 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0)208 395 4980.

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd

Current thread:

Re: CheckPoint FW1 BUG NHC Research (Jul 13)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
  - Re: CheckPoint FW1 BUG uh Clem (Jul 14)
    - Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
    - Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
    - Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
    - HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
    - Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
    - Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
    - Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
    - Outlook exploit fix opens old hole? Ben (Jul 19)
    - [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)
    - Security Fix for Blackboard CourseInfo 4.0 aleph1 () securityfocus com (Jul 19)
    - [TL-Security-Announce] wu-ftpd TLSA2000014-1 Joe Little (Jul 19)
    - @stake iKey 1000 Security Advisory Kingpin (Jul 20)
    - Re: @stake iKey 1000 Security Advisory Darren Reed (Jul 20)
    - Security Update: DoS on gpm Technical Support (Jul 20)
  - Biometrics conference Farrow, Rik (Jul 17)
  - Re: CheckPoint FW1 BUG Brian Krahmer (Jul 17)

(Thread continues...)