Witango & Tango 2000 Application Server Remote Sys

Full Version: Witango & Tango 2000 Application Server Remote Sys

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

GSecur

Jul 23 2003, 04:09 PM

NGSSoftware Insight Security Research Advisory

Name: WiTango Application Server & Tango 2000
Systems Affected: Windows
Severity: Critical Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.witango.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 18th July 2003
Advisory number: #NISR18072003

Description
***********

As detailed on http://www.witango.com - Witango can provide your Web Application with a solid application framework, a simple interface for both the production and ongoing maintenance of complex application logic, a variety of mechanisms to integrate to non-web interfaces, and a wide range of database connectivity options. The Witango product suite provides a comprehensive Integrated Development Environment (IDE) to enable application developers to rapidly generate XML files which can then be deployed to a wide range of operating systems. Witango is a fast to learn, easy to use, scalable solution for the Professional Web Application Developer.

Details
*******

By passing a long cookie to Witango_UserReference we overwrite the saved return address on the stack. As Witango is installed as LocalSystem, any arbitrary code execution will run as SYSTEM

GET /ngssoftware.tml HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: en-gb
User-Agent: My Browser
Host: ngssoftware.com
Connection: Keep-Alive
Cookie: Witango_UserReference= parameter length 2864

I have been asked by Phil Wade of Witango to mention the following: "We also did some tests on older versions of the server and found the vulnerability also exists in the previous version of the server which was known as Tango 2000. Can you also mention that Tango 2000 is also vulnerable and should be upgraded to Witango 5.0.1.062 especially if the Tango 2000 server is accessible from the internet"

Fix Information
***************

NGSSoftware alerted Witango to this issue on 13th July 2003. I would like to mention, that Witango acted very quickly in producing a patch helping to ensure that their clients are protected. Please visit http://www.witango.com to download the latest build.

A check for this issue has been added to Typhon, a comprehensive automated vulnerability assessment tool of which more information is available from the NGSSite http://www.ngssoftware.com

About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in London, and St Andrews Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments.

http://www.ngssoftware.com
http://www.ngsconsulting.com

Telephone: +44 208 40 100 70
Fax: +44 208 401 0076

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.