SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Netscape, Sun
(eEye Provides Exploit Information) Re: iPlanet Web Server Allows Remote Users to Execute Arbitrary Code on the Server and to Crash the Server
SecurityTracker Alert ID:  1001553
SecurityTracker URL:  http://securitytracker.com/id/1001553
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 16 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): v4.1 SP 3-7
Description:   iPlanet announced that there is a vulnerability in the iPlanet Web Server that allows a remote user to crash the web services. The vulnerability also allows a remote user to gain shell access on the server (note that iPlanet did not mention this latter impact in their advisory).

eEye Digital Security reports that the Web Publisher feature in Netscape Enterprise 4.1 (iPlanet) contains a buffer overflow vulnerability that allows a remote user to obtain shell access on the server.

The overflow reportedly exists in the Web Publishers handling of URI attributes, such as GETPROPERTIES or GETATTRIBUTENAMES.

eEye provides a transcript of a demonstration exploit sequence (the exploit code to generate a remote shell is not yet provided):

C:\>telnet www.example.com 80
Connecting To www.example.com... connected.
GETPROPERTIES /(buffer) HTTP/1.1
Host: Hostname
(enter)
(enter)

If the (buffer) is 2000 characters, this will trigger the vulnerability.

Impact:   A remote user can cause the web server application to crash. In the Web Publisher vulnerability, a remote user can obtain shell access on the server.
Solution:   The vendor has released a fix. See the Vendor URL.

The vendor recommends deployment of the following NSAPI:

aix_flexlog2.tgz
dec-osf1_flexlog2.tgz
hpux_flexlog2.tgz
linux_flexlog2.tgz
solaris_flexlog2.tgz
winnt_flexlog2.zip

Vendor URL:  www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 15 2001 iPlanet Web Server Allows Remote Users to Execute Arbitrary Code on the Server and to Crash the Server



 Source Message Contents

Subject:  iPlanet - Netscape Enterprise Web Publisher Buffer Overflow



Release Date:
May 11, 2001

Severity:
High (Remote SYSTEM level code execution)

Systems Affected:
Netscape Enterprise 4.1 and prior versions.

Description:
The Web Publisher feature in Netscape Enterprise 4.1 is vulnerable to a
buffer overflow. By sending a large buffer containing executable code and a
new Instruction Pointer, an attacker is able to gain remote system shell
access to the vulnerable server.

The overflow itself exists in Publishers handling of the URI (Uniform
Resource Identifier). By specifying GETPROPERTIES, GETATTRIBUTENAMES, or any
other one of the publisher specific methods, we can pass data into
vulnerable section of the server and exploit the vulnerability.

Example:
C:\>telnet www.example.com 80
Connecting To www.example.com... connected.
GETPROPERTIES /(buffer) HTTP/1.1
Host: Hostname
(enter)
(enter)

Where (buffer) is 2000 characters.

The Exploit:
We have not had time yet to produce a proof of concept exploit, however
expect one soon.

Vendor Status:
Quote from iPlanet's development team: "The security & stability of
iPlanet's customer's environments is one of our paramount concerns. To
ensure the stability of our customer's environments iPlanet has made
available an NSAPI patch that can be applied to iPlanet Web Server,
Enterprise Edition."

The NSAPI patch is available at:
http://iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html .
This issue will also be addressed by the release of iPlanet Web Server,
Enterprise Edition version 4.1 Service Pack 8.

Credit:
Riley Hassell (riley@eeye.com)

Related Links:
SecureIIS, Stop known and unknown IIS web server vulnerabilities.
http://www.eeye.com/SecureIIS

Retina, The Network Security Scanner. http://www.eeye.com/Retina

Greetings:
Tool for an amazing new album. NiN for another beautiful single.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC