Red Hat Directory Server Buffer Overflow in Help System May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015536|
SecurityTracker URL: http://securitytracker.com/id/1015536
(Links to External Site)
Date: Jan 25 2006
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.1 and prior versions|
A vulnerability was reported in Red Hat Directory Server. A remote user may be able to execute arbitrary code. A local user may be able to obtain elevated privileges.|
A remote user can send a specially crafted request to the Management Console to trigger a stack overflow in the Help buttons on the Admin pages.
On UNIX-based systems, remote code execution is not possible.
In some situations, a local user can execute arbitrary code with root level privileges.
Fedora Directory Server is not affected.
Peter Winter-Smith of NGSSoftware discovered this vulnerability.
A remote user may be able to execute arbitrary code on the target system.|
A local user can execute arbitrary code with root level privileges.
Red Hat has issued a fixed version of Red Hat Directory Server (7.1 SP1), available via the Red Hat Network.|
Vendor URL: www.redhat.com/ (Links to External Site)
|Underlying OS: Linux (Red Hat Enterprise)|
Source Message Contents
Subject: High Risk Vulnerability in Red Hat Directory Server and Red Hat Certificate Server|
Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability
in Red Hat Directory Server and Red Hat Certificate Server. It is possible
that under certain circumstances these flaws could permit an unauthenticated
attacker to remotely compromise the Directory or Certificate server, in
other circumstances this flaw could facilitate local privilege escalation to
Affected versions include:
Netscape Directory Server
Red Hat Directory Server (prior to 7.1 SP1)
Red Hat Certificate Server (prior to 7.1 SP1)
These issues have been resolved in the latest patch releases for Red Hat
Directory Server 7.1 (SP1) and for Red Hat Certificate Server 7.1 (SP1),
which may be downloaded from the Red Hat Network. Release notes may be
obtained at the following address:
Red Hat have included a vendor statement which may be viewed below:
Vendor statement: Red Hat, Inc:
This issue affected Red Hat Directory Server 7.1, Red Hat Certificate
System 7.1, and earlier Netscape releases of these products.
The flaw is a stack buffer overflow related to the Help buttons available
in the Admin pages of the Management Console. A remote attacker who is
able to connect to the Management Console could send a carefully crafted
request to trigger this flaw. Note that in general, access to the
Management Console would usually be prevented by firewall configuration.
Due to the nature of the affected code, this flaw is not able to lead to
remote arbitrary code execution on Unix platforms. However, the flaw
could be used by a local attacker to gain elevated (root) privileges.
* Red Hat Directory Server 7.1 SP1, available via the Red Hat Network,
contains a patch to correct this issue.
* Red Hat Certificate Server 7.1 SP1 will be available in early 2006 which
contains a patch to correct this issue. Until the update is available,
users can mitigate this issue by removing the help.cgi binary.
* This flaw did not affect Fedora Directory Server.
NGSSoftware are going to withhold details of this flaw for three months.
Full details will be published on the 05th January 2006. This three month
window will allow users of Sun Directory Server the time needed to apply the
patch before the details are released to the general public. This reflects
NGSSoftware's approach to responsible disclosure.
NGSSoftware Insight Security Research
+44(0)208 401 0070