Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Adminware, Control Panels :: web5285.htm

Webtrends Reporting Center buffer overflow leading to arbitrary code execution
19th Apr 2002 [SBWID-5285]

	Webtrends Reporting Center buffer overflow  leading  to  arbitrary  code


	WebTrends Reporting Center 4.0d


	In  NGSSoftware  Insight  Security  Research   Advisory   #NISR17042002C
	[] :




	WebTrends Reporting Center provides fast and comprehensive  analysis  of
	web  site   activity   to   multiple   decision-makers   throughout   an
	organization via a browser-based interface. WebTrends  Reporting  Center
	is, according to their own  website,  NetIQ\'s  flagship  web  analytics
	reporting product, recently receiving an  Editor\'s  Choice  Award  from
	Network Computing Magazine  (Feb 6, 2002).




	Buffer Overrun

	In order for an attacker to exploit  this  vulnerability  requires  they
	must first undergo user authentication at

	http://targetmachine:1099(default listening port)/


	However, Webtrends Reporting Server allows anonymous logins for  reports
	that are made available for public viewing. After  a  successful  login,
	making a GET request to

	http://targetmachine:1099/reports/(Long Char String)


	will cause an access violation occurs  in  WTRS_UI.EXE  (WTX_REMOTE.DLL)
	overwriting the saved return address on the stack. The Reporting  Server
	process, WTRS_UI.EXE, is by default started as a  system  service  along
	with WTRS.EXE, therefore any arbitary code  would  execute  with  system

	Path Disclosure

	By making a simple GET request for



	(no authentication required) an error message is returned

	Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/



	 Fix Information



	NGSSoftware alerted Webtrends to the buffer overrun issue on 31st  March
	2002 and future versions will be fixed. There is still some question  as
	to whether a patch  will  be  produced  for  earlier  versions.  In  the
	meantime  NGSSoftware  recommend  preventing  anonymous  access  to  the
	Reports server. NGSSoftware recommend that where possible,  the  service
	be run as a low privileged account  as  opposed  to  starting  it  as  a
	system service.

	A check for these issues have been added to  Typhon  II,  NGSSoftware\'s
	vulnerability  assessment  scanner,  of  which   more   information   is
	available from the NGSSite :

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH