SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Certificate Management)  >  Red Hat Certificate Server Vendors:  Red Hat
Red Hat Certificate Server Buffer Overflow in Help System May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015538
SecurityTracker URL:  http://securitytracker.com/id?1015538
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 25 2006
Impact:  Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  NGSSoftware
Version(s): 7.1 and prior versions
Description:  A vulnerability was reported in Red Hat Certificate Server. A remote user may be able to execute arbitrary code. A local user may be able to obtain elevated privileges.

A remote user can send a specially crafted request to the Management Console to trigger a stack overflow in the Help buttons on the Admin pages.

On UNIX-based systems, remote code execution is not possible.

In some situations, a local user can execute arbitrary code with root level privileges.

Peter Winter-Smith of NGSSoftware discovered this vulnerability.
Impact:  A remote user may be able to execute arbitrary code on the target system.

A local user can execute arbitrary code with root level privileges.
Solution:  Red Hat will be issuing a fix as part of Red Hat Certificate Server 7.1 SP1, to be available shortly.

The report indicates that, as a workaround, the 'help.cgi' binary can be removed.
Vendor URL:  www.redhat.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Red Hat Enterprise)
Reported By:  "NGSSoftware Insight Security Research" <nisr@ngssoftware.com>
Message History:   None.

 Source Message Contents
Date:  Sun, 22 Jan 2006 13:13:09 -0000
From:  "NGSSoftware Insight Security Research" <nisr@ngssoftware.com>
Subject:  High Risk Vulnerability in Red Hat Directory Server and Red Hat Certificate Server

 
Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability
in Red Hat Directory Server and Red Hat Certificate Server. It is possible
that under certain circumstances these flaws could permit an unauthenticated
attacker to remotely compromise the Directory or Certificate server, in
other circumstances this flaw could facilitate local privilege escalation to
root.

Affected versions include:

Netscape Directory Server
Red Hat Directory Server (prior to 7.1 SP1)
Red Hat Certificate Server (prior to 7.1 SP1)

These issues have been resolved in the latest patch releases for Red Hat
Directory Server 7.1 (SP1) and for Red Hat Certificate Server 7.1 (SP1),
which may be downloaded from the Red Hat Network. Release notes may be
obtained at the following address:

https://www.redhat.com/docs/manuals/dir-server/release-
notes/ds71sp1relnotes.html

Red Hat have included a vendor statement which may be viewed below:

- ----------

Vendor statement: Red Hat, Inc:

This issue affected Red Hat Directory Server 7.1, Red Hat Certificate
System 7.1, and earlier Netscape releases of these products.

The flaw is a stack buffer overflow related to the Help buttons available
in the Admin pages of the Management Console.  A remote attacker who is
able to connect to the Management Console could send a carefully crafted
request to trigger this flaw.  Note that in general, access to the
Management Console would usually be prevented by firewall configuration.

Due to the nature of the affected code, this flaw is not able to lead to
remote arbitrary code execution on Unix platforms.  However, the flaw
could be used by a local attacker to gain elevated (root) privileges.

* Red Hat Directory Server 7.1 SP1, available via the Red Hat Network,
contains a patch to correct this issue.
https://www.redhat.com/docs/manuals/dir-server/release-
notes/ds71sp1relnotes.html

* Red Hat Certificate Server 7.1 SP1 will be available in early 2006 which
contains a patch to correct this issue.  Until the update is available,
users can mitigate this issue by removing the help.cgi binary.

* This flaw did not affect Fedora Directory Server.

http://www.redhat.com/security/team/contact/

- -----------

NGSSoftware are going to withhold details of this flaw for three months.
Full details will be published on the 05th January 2006. This three month
window will allow users of Sun Directory Server the time needed to apply the
patch before the details are released to the general public. This reflects
NGSSoftware's approach to responsible disclosure.

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC