Cerberus Information Security Advisory (CISADV000505) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 5th May 2000 Name : DNewsweb Buffer Overflow Affected Systems : *nix/Win32 Web Servers running Dnewsweb Issue : Attackers can remotely execute arbitrary code Author : Mark Litchfield (xor-syst@devilnet.co.uk) Description *********** The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DNewsWeb (dnewsweb/dnewsweb.exe v5.3e1), CGI program designed to give access to NNTP services over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Details ******* The are several unchecked buffers in this program where several of the QUERY_STRING parameters can be overflowed such as "group" and "utag". This overflow is simple to exploit by overwriting the saved return address with an address that contains a "jmp esp" or "call esp" - the remainder of the the QUERY_STRING is pointed to by the ESP. Solution ******** Netwin has made available a patch for this available from their ftp server: ftp://ftp.netwinsite.com/pub/dnewsweb/beta/ Obtain the 5.4c3 version required for your system. A check for this has been added to our security scanner, CIS. More details about CIS can be found on our web site: http://www.cerberus-infosec.co.uk/ Vendor Status ************* Netwin were alerted to this on the 3rd May 2000. Cerberus would like to thank everyone involved for their prompt response. About Cerberus Information Security, Ltd ***************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 70 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0)208 395 4980. Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd