SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
Sun iPlanet Web Server Buffer Overflow in Encoded Transfer Chunk Processing Allows Remote Users to Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1005000
SecurityTracker URL:  http://securitytracker.com/id/1005000
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 9 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1, 6.0
Description:   A buffer overflow vulnerability was reported in Sun's iPlanet web server. A remote user can execute arbitrary code on the system and obtain root privileges or can cause the web service to crash.

eEye Digital Security reported that there is a vulnerability in the processing of encoded transfer chunks. A remote user can send a specially crafted HTTP session to overwrite a portion of the heap and alter the flow of code execution to execute arbitrary code on the server. The bug is due to the incorrect calculation of message size.

According to the report, this is not the same as the integer overflow in transfer chunk encoding that was recently reported for Microsoft Internet Information Server and Apache web servers.

A demonstration exploit session is provided (where '[DATA]' will overflow heap memory):

POST /EEYE.html HTTP/1.1
Host: www.EEYE2002.com
Transfer-Encoding: chunked
Content-Length: 22

4
EEYE
7FFFFFFF
[DATA]

Impact:   A remote user can execute arbitrary code on the system with root privileges or can cause the service to crash.
Solution:   The vendor has released a fixed version (4.1 SP11 and 6.0 SP4), available at:

http://wwws.sun.com/software/download/allproducts.html

Also, a patch is available at:

http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html

Vendor URL:  www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] EEYE: Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow


Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

Release Date: August 8, 2002

Severity:
High (Remote SYSTEM/ROOT)

Systems Affected:
iPlanet 6.0 and prior

Description:
A vulnerability in transfer chunking can be exploited to remotely execute
code of an attacker's choice on a vulnerable machine. By sending a carefully
crafted session, an attacker can overwrite a section of the heap. Various
data structures in the overwritten heap can be manipulated to move attacker
supplied data to attacker supplied memory addresses, thereby altering the
flow of execution into an attacker supplied payload.

Note this variant is not the integer overflow affecting IIS and Apache that
was discovered during regression testing with Microsoft. This is another
variant relating to incorrect size calculation.

The following example will show the vulnerable condition:

**************Begin Session****************
POST /EEYE.html HTTP/1.1
Host: www.EEYE2002.com
Transfer-Encoding: chunked
Content-Length: 22

4
EEYE
7FFFFFFF
[DATA]
**************End Session******************

[DATA] will overwrite heap memory. Increase or decrease depending on
implementation.

Technical Description:
The example session above overwrites a section of the heap that contains
data structures related to the Memory management system. By manipulating the
content of these structures, we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.

It is widely assumed that the risk for these type of vulnerabilities is
fairly low due to the fact that addressing is dynamic and that you must use
brute force in your attack; however, this is false assumption and
exploitation can be successful with one attempt, across dll versions. An
attacker can overwrite static global variables, stored function pointers,
process management structures, memory management structures, or any number
of data types that will allow him to gain control of the target application
in one session.

Vendor Status:
Sun has released a security bulletin and patch:
http://www.sun.com/service/support/software/iplanet/alerts/transferencodinga
lert-23july2002.html

Credit: Riley Hassell

Greetings:
Eli, Kasia, Halvar, FX, and the three amigos K2, Dark Spyrit, and Joey.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC