|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam
web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in HAHTsite Scenario Server
------------------------------------------------------------------------
SUMMARY
The <http://www.haht.com> HAHTsite Scenario Server is "a highly flexible,
standards-based e-business server that offers essential platform features
such as scalability, high availability, security and extensibility. The
Scenario Server also offers essential integration features that provide a
powerful framework for your demand chain management environment".
The HAHTsite Scenario Server does not perform proper bounds check on
requests passed to the application. This results in a buffer overflow
condition, when a large specially crafted request is sent to the server.
DETAILS
Vulnerable Systems:
* HAHTsite Scenario Server version 5.1, Patch 1 to 6
The issue can be triggered by requesting:
http://[hostname]/[cgialias]/hsrun.
exe/[ServerGroupName]/[ServerGroupName]/[VeryLongProjectName].
htx;start=[PageName]
This bug affects both background processes (regular server groups), and
control processes (the administrative server group).
The following error will appear in the event viewer when this
vulnerability is exploited:
- ------------------------------------------------------------------
Event Type: Error
Event Source: HAHTsite 5.1 Controller
Event Category: None
Event ID: 1032
Description:
Unexpected termination of server hsadmsrv with PID=xxxx: Exit Reason:
Unknown Reason
- ------------------------------------------------------------------
Impact:
A request like the above will overrun the allocated buffer and overwrite
EIP (Instruction Pointer), which leads to a service restart and the
possibility of remote code execution, giving an attacker the opportunity
to run commands on the server with permission of NT AUTHORITY\SYSTEM.
Corrective actions:
This security vulnerability can be corrected by applying the server fix
[20030010] from <http://www.haht.com/kb> http://www.haht.com/kb
For Windows:
<ftp://ftp.haht.com/private/support/fixes/5.
1/build91/ox79989_buffer_overrun_fix.zip>
ftp://ftp.haht.com/private/support/fixes/5.1/build91/ox79989_buffer_overrun_fix.
zip
For Solaris:
Contact HAHT Technical Support at <mailto:support@haht.com>
support@haht.com.
For Linux:
Contact HAHT Technical Support at <mailto:support@haht.com>
support@haht.com.
ADDITIONAL INFORMATION
The information has been provided by <mailto:dra@protego.dk> Dennis Rand.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
|
