SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
iPlanet Web Server Buffer Overflow in Search Function Lets Remote Users Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1004730
SecurityTracker URL:  http://securitytracker.com/id/1004730
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 9 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1, 6.0
Description:   A buffer overflow vulnerability was reported in the iPlanet Web Server's search function. A remote user can cause arbitrary code to be executed with the privileges of the web server.

NGSSoftware reported that the default configuration does not enable the search capabilities. However, if search has been enabled by the administrator, the system may be vulnerable.

A remote user can send a specially crafted and overly long value for the 'NS-rel-doc-name' parameter to overwrite a saved return address on the stack, giving the remote user control over the process execution.

According to the report, the code will run in the security context of the account running the web server (local SYSTEM on Windows NT/2000, for example).

Impact:   A remote user can execute arbitrary code with the privileges of the web server.
Solution:   The vendor has released a service pack. Users of iPlanet Web Server 6 should install Service Pack 3. Users of iPlanet Web Server 4.1 should install Service Pack 10.
Vendor URL:  www.iplanet.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Linux), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Sun Issues Fix) Re: iPlanet Web Server Buffer Overflow in Search Function Lets Remote Users Execute Arbitrary Code on the Server
Sun has issued a fix.



 Source Message Contents

Subject:  [VulnWatch] Sun iPlanet Web Server Buffer Overflow (#NISR09072002)


NGSSoftware Insight Security Research Advisory

Name: iPlanet Search Buffer Overflow
Systems: iWS 6.0 and iWS 4.1
Severity: High Risk (if Search enabled)
Category: Remote Buffer Overrun Vulnerability
Vendor URL: http://www.iplanet.com/
Author: David Litchfield (david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/sun-iws.txt
Date: 9th July 2002
Advisory number: #NISR09072002A
VNA reference : http://www.nextgenss.com/vna/sun-iws.txt

Description
***********
iPlanet's Web Server, now owned and maintained by Sun Microsystems, has a
remotely exploitable buffer overrun vulnerability in the search component.


Details
*******
By default, the search capabilities of iPlanet's Web Server are turned off,
but if search has been enabled then the server is vulnerable to a remotely
exploitable buffer overrun. By supplying an overly long value for the
'NS-rel-doc-name' parameter a saved return address is overwritten on the
stack, giving control over the vulnerable process' execution. Any code
supplied will run in the security context of the account running the web
server. On Windows NT/2000, for example, this account is the local SYSTEM
account, by default, so any code will run uninhibited.


Fix Information
***************
NGSSoftware alerted Sun to this problem on the 25th of April 2002 and were
informed that Sun wanted to address this in the next service pack, despite
NGSSoftware's recommedation that a hotfix should be released as this is a
remotely exploitable issue. This aside the service pack has been released.

Users of iPlanet Web Server 6 should install Service Pack 3.
Users of iPlanet Web Server 4.1 should install Service Pack 10.

A check for this vulnerability has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which, more information is available
from the NGSSite, http://www.ngssoftware.com/ .









 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC