SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Netscape Directory Server Vendors:   Netscape
Netscape iPlanet Directory Server Can Be Remotely Crashed and May Execute Remotely-Supplied Arbitrary Code on the Server
SecurityTracker Alert ID:  1001069
SecurityTracker URL:  http://securitytracker.com/id/1001069
CVE Reference:   CVE-2001-0164   (Links to External Site)
Date:  Mar 12 2001
Impact:   Denial of service via network, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1 (bundled with Netscape Messaging Server); also 4.12
Description:   @Stake advised that attackers can cause the Netscape Directory Server to crash and may be able to execute arbitrary code on the directory server. The vendor has issued patches for this vulnerability.

The advisory notes that the Netscape Directory Server that comes with Netscape Messaging Server 4.15SP3 is vulnerable to a buffer overflow condition if a specially crafted query is received. The overflow can either crash the directory server or cause arbitrary code to be executed on the server with the permissions of the directory server.
Netscape Directory Server 4.12 is reportedly also subject to the same overflow, however, it is not clear whether code execution is possible due to the memory location that the overflowed string is copied to.

For more information, see the original advisory:
www.atstake.com/research/advisories/2001/a030701-1.txt

Impact:   Remote attackers can cause the Netscape Directory Server to crash and may be able to execute arbitrary code on the directory server
Solution:   The vendor recommends an immediate upgrade to Directory Server 4.13 and recommends that NMS 4.15 customers upgrade to Patch 4.
Vendor URL:  www.iplanet.com/products/iplanet_directory/home_2_1_1z.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT)
Underlying OS Comments:  Possibly others

Message History:   None.


 Source Message Contents

Subject:  @stake Advisory Notification: Netscape Directory Server buffer


                              @stake, Inc.
                            www.atstake.com

                    Security Advisory Notification


Advisory Name: Netscape Directory Server buffer overflow
 Release Date: 03/07/2001
  Application: Netscape Directory Server 4.1 (bundled with Netscape
               Messaging Server)
               Netscape Directory Server 4.12 (may be DoS only)
     Platform: Windows NT (possibly others)
     Severity: An attacker can cause the Directory Server to crash, or may
               be able to execute arbitrary code on the server.
       Author: Frank Swiderski (fes@atstake.com)
Vendor Status: Vendor has issued patches
          CVE: CAN-2001-0164
    Reference: www.atstake.com/research/advisories/2001/a030701-1.txt


Overview:

The Netscape Directory Server that comes with Netscape Messaging
Server 4.15SP3 is vulnerable to a buffer overflow condition if a specially
crafted query is received.  The Directory Server is used to store various
user information for Messenger.  The overflow can result in either a
denial of service or arbitrary code execution on the server.  Netscape
Directory Server 4.12 is also subject to the same overflow, however, code
execution may or may not be possible due to the location the resultant
string is copied to.

Note that Netscape Messanging Service will ask for a directory
server to use during installation; by default it will install and use its
own copy of Directory Server 4.1.  The Messanging service also enables
services which use the Directory Server, such as SMTPD, by default.  Both
the Messanging Server and the Directory server are available for many
flavors of Unix as well as for Windows NT, and are commonly used for
managing corporate email.

For more information on LDAP and its protocols, ldapman.org has an
excellent collection of LDAP RFC links at
http://ldapman.org/ldap_rfcs.html. For SMTP, see RFC-821 and RFC-822.


Vendor Response:

 iPlanet Directory Server (iDS) Support greatly appreciates these issues
 being brought to our attention. We are reporting that these issues do
 occur in the following iPlanet products:

     NMS 4.15 (contains the bundled Directory Server 4.11)
     iPlanet Messaging Server 5.0 (contains the bundled Directory Server
     4.12)
     Directory Server 4.11 and 4.12 products.

 For all products, an immediate upgrade to Directory Server 4.13 is
 available through the iPlanet Support Channel.  In addition, we recommend
 NMS 4.15 customers upgrade to Patch 4.

 Exposure Specifics:

 The exposure to existing customers is isolated to the Directory Server
 4.11 and 4.12 products.  As reported, the overflow can result in either a
 denial of service or arbitrary code execution on the server.  Netscape
 Directory Server 4.12 is also subject to the same denial of service
 overflow, however, code execution is not possible.

 The Netscape Mail Server 4.15p3 issue of a buffer overflow in the SMTP
 session has been resolved in a fix in the NMS 4.15p4 release.  This fix
 limits the line size of any given command in SMTP command mode.  Should
 you send a very long (> 16KB) line to the MTA in command mode, you will
 get a disconnect with a reply of 550 + text.

 We also identified that the iPlanet Messaging Server 5.0 release bundles
 Directory Server 4.12, and it also requires the upgrade to Directory
 Server 4.13.  We are pleased to find that Messaging Server 5.0 does not
 contain the same SMTP session overflow issue.


Advisory Reference:

http://www.atstake.com/research/advisories/2001/a030701-1.txt

** The advisory contains additional information.  We encourage those
** effected by this issue to read the advisory.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.


Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC