SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sun ONE/iPlanet Web Server Vendors:   Sun
(Sun Issues Fix) Re: iPlanet Web Server Buffer Overflow in Search Function Lets Remote Users Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1005238
SecurityTracker URL:  http://securitytracker.com/id/1005238
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1, 6.0
Description:   A buffer overflow vulnerability was reported in the iPlanet Web Server's search function. A remote user can cause arbitrary code to be executed with the privileges of the web server.

NGSSoftware reported that the default configuration does not enable the search capabilities. However, if search has been enabled by the administrator, the system may be vulnerable.

A remote user can send a specially crafted and overly long value for the 'NS-rel-doc-name' parameter to overwrite a saved return address on the stack, giving the remote user control over the process execution.

According to the report, the code will run in the security context of the account running the web server (local SYSTEM on Windows NT/2000, for example).

Impact:   A remote user can execute arbitrary code with the privileges of the web server.
Solution:   Sun has released the following fixes:

* iPlanet Web Server 4.1 Service Pack 11 or later
* Sun ONE Web Server 6.0 Service Pack 4 or later

The above upgrades are available at the following web site:

http://wwws.sun.com/software/download/inter_ecom.html#webs


Sun has also provided the following workaround:

If you are not able to immediately upgrade to a fixed version of the web server, compile and install the following NSAPI SAF [see the Source Message or the Vendor URL for the proper text formatting]:

#include <nsapi.h>
NSAPI_PUBLIC int noTransEnc(pblock *pb, Session *sn, Request *rq)
{
int ret = REQ_NOACTION;
char *temp;
temp = pblock_findval("transfer-encoding", rq->headers);

if (temp != NULL) {
log_error(LOG_SECURITY, "noTransEnc", sn, rq,
"Attemped Transfer Encoding ... aborting.",
temp);
protocol_status(sn, rq, 505, "HTTP Version Not Supported");
ret = REQ_ABORTED;
}
return ret;
}

Usage:

Init fn="load-modules" shlib="[path to libs]/noTranEnc.so"
funcs="noTransEnc"

<Object name=default>
AuthTrans
fn=noTransEnc

This plugin can be used in other stages of request handling if chuncked encoding is needed for certain paths with in the server. These paths would not be protected from attack. In order to be of use the plugin must be accessed before the first Service function is run.

Some relief to the buffer overflow is available by enabling non-executable user stacks (although this does not provide 100 percent protection against exploitation of this vulnerability, it makes the likelihood of a successful exploit much smaller). This workaround is only effective on sun4u, sun4m, and sun4d architectures (enter "uname -m" to display a systems architecture). This workaround will not work on Intel platforms.

To enable non-executable program stacks add the following lines to the "/etc/system" file and reboot the system:

set noexec_user_stack = 1
set noexec_user_stack_log = 1

For more information visit the NSAPI guide which has pointers about compilation at
http://docs.sun.com/source/816-5686-10/04_mysaf.htm#15053

Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46128 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Linux), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), error

Message History:   This archive entry is a follow-up to the message listed below.
Jul 9 2002 iPlanet Web Server Buffer Overflow in Search Function Lets Remote Users Execute Arbitrary Code on the Server



 Source Message Contents

Subject:  Sun Alert 46128


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46128

Sun issued a Sun Alert (46128) warning of a buffer overflow in the Sun
ONE web server.

Sun reports that a remote user can execute arbitrary code on systems
running the iPlanet Web Server or the Sun ONE Web server due to a buffer
overflow in the HTTP daemon.  The code will run with the privileges of
the iPlanet Web Server HTTP process or the Sun ONE Web server.  These
server HTTP daemons normally run as the unprivileged uid 'nobody' (uid
60001).


This issue is described in the eEye Digital Security advisory referenced
in http://www.eeye.com/html/Research/Advisories/AD20020808a.html.


Sun has released the following fixes:

    * iPlanet Web Server 4.1 Service Pack 11 or later
    * Sun ONE Web Server 6.0 Service Pack 4 or later

The above upgrades are available at the following web site:

    * http://wwws.sun.com/software/download/inter_ecom.html#webs


Sun has also provided the following workaround:

If you are not able to immediately upgrade to a fixed version of the web
server, compile and install the following NSAPI SAF:

#include <nsapi.h>
NSAPI_PUBLIC int noTransEnc(pblock *pb, Session *sn, Request *rq) 
{
    int ret = REQ_NOACTION;
    char *temp;
    temp = pblock_findval("transfer-encoding", rq->headers);

    if (temp != NULL) {
        log_error(LOG_SECURITY, "noTransEnc", sn, rq,
          "Attemped Transfer Encoding ... aborting.",
           temp);
        protocol_status(sn, rq, 505, "HTTP Version Not Supported");
        ret = REQ_ABORTED;
    }
    return ret;
}                                                      

Usage:

	Init fn="load-modules" shlib="[path to libs]/noTranEnc.so"
funcs="noTransEnc"

	<Object name=default>
	AuthTrans
fn=noTransEnc                                                      

This plugin can be used in other stages of request handling if chuncked
encoding is needed for certain paths with in the server. These paths
would not be protected from attack. In order to be of use the plugin
must be accessed before the first Service function is run.

Some relief to the buffer overflow is available by enabling
non-executable user stacks (although this does not provide 100 percent
protection against exploitation of this vulnerability, it makes the
likelihood of a successful exploit much smaller). This workaround is
only effective on sun4u, sun4m, and sun4d architectures (enter "uname
-m" to display a systems architecture). This workaround will not work on
Intel platforms.

To enable non-executable program stacks add the following lines to the
"/etc/system" file and reboot the system:

	set noexec_user_stack = 1
	set noexec_user_stack_log =
1                                                      

For more information visit the NSAPI guide which has pointers about
compilation at
http://docs.sun.com/source/816-5686-10/04_mysaf.htm#15053.



    * Category: Security
    * Product: iPlanet Web Server, Sun ONE Web Server
    * BugIDs: 4707395, 4711825
    * Avoidance: Workaround, Upgrade
    * State: Resolved
    * Date Released: 16-Sep-2002
    * Date Closed: 16-Sep-2002
    * Date Modified:


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC