26th Sep 2002 [SBWID-5285]
COMMAND
	Webtrends Reporting Center buffer overflow  leading  to  arbitrary  code
	execution
SYSTEMS AFFECTED
	WebTrends Reporting Center 4.0d
PROBLEM
	In  NGSSoftware  Insight  Security  Research   Advisory   #NISR17042002C
	[http://www.ngssoftware.com/] :
	 Description
	 ===========
	WebTrends Reporting Center provides fast and comprehensive  analysis  of
	web  site   activity   to   multiple   decision-makers   throughout   an
	organization via a browser-based interface. WebTrends  Reporting  Center
	is, according to their  own  website,  NetIQ's  flagship  web  analytics
	reporting product, recently receiving  an  Editor's  Choice  Award  from
	Network Computing Magazine  (Feb 6, 2002).
	 Details
	 =======
	Buffer Overrun
	In order for an attacker to exploit  this  vulnerability  requires  they
	must first undergo user authentication at
	
	http://targetmachine:1099(default listening port)/remote_login.pl
	
	However, Webtrends Reporting Server allows anonymous logins for  reports
	that are made available for public viewing. After  a  successful  login,
	making a GET request to
	
	http://targetmachine:1099/reports/(Long Char String)
	
	will cause an access violation occurs  in  WTRS_UI.EXE  (WTX_REMOTE.DLL)
	overwriting the saved return address on the stack. The Reporting  Server
	process, WTRS_UI.EXE, is by default started as a  system  service  along
	with WTRS.EXE, therefore any arbitary code  would  execute  with  system
	privileges.
	Path Disclosure
	By making a simple GET request for
	
	http://targetmachine/get_od_toc.pl?Profile=
	
	(no authentication required) an error message is returned
	
	Unable to open content file path=C:/PROGRA~1/WEBTRE~1/wtm_wtx/
	
SOLUTION
	 Fix Information
	 ===============
	NGSSoftware alerted Webtrends to the buffer overrun issue on 31st  March
	2002 and future versions will be fixed. There is still some question  as
	to whether a patch  will  be  produced  for  earlier  versions.  In  the
	meantime  NGSSoftware  recommend  preventing  anonymous  access  to  the
	Reports server. NGSSoftware recommend that where possible,  the  service
	be run as a low privileged account  as  opposed  to  starting  it  as  a
	system service.
	A check for these issues have been added  to  Typhon  II,  NGSSoftware's
	vulnerability  assessment  scanner,  of  which   more   information   is
	available from the NGSSite : http://www.ngssoftware.com/.