|
Home : Advisories : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
Title: |
Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module |
Released by: |
S.A.F.E.R. |
Date: |
26th October 2000 |
Printable version: |
Click here |
__________________________________________________________
S.A.F.E.R. Security Bulletin 001026.EXP.1.8
__________________________________________________________
TITLE : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module
DATE : October 26, 2000
NATURE : Remote execution of code, Denial-of-Service
AFFECTED : Confirmed on Solaris, Linux and Windows NT
PROBLEM:
Buffer overflow exists in iPlanet Web Server 4.x, which can lead to
Denial-of-Service or remote execution of code in context of user which iWS
webserver is running as. 'Parsed HTML' option (server side parsing) must
be enabled for vulnerability to be exploited.
DETAILS:
By sending a request of 198-240 characters (depending on the iWS
version/platform) with extension .html (by default), it is possible to
overflow internal buffer in stack. iWS must have server side 'parsing'
turned on. By default (when enabled), .html files are parsed.
Overflow happens in logging function (when iWS tries to report that file
is not found). If exploitation is successful (or iWS segfaults), nothing
will remain in the logs.
EXPLOIT:
Exploit will be released in 2 weeks (this is subject to change).
FIXES:
Workaround is to disable server side parsing of HTML pages.
We are not aware of any vendor fixes for this issue. Vendor has been
notified on multiple instances (including mass-mailing to every single
vendor email we could find) about this and other problems during January
and February (including '?wp tags' - see
http://www.safermag.com/advisories/0008.html). The vendor published a
workaround for ?wp tags, but we have received no feedback on the SHTML
problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it
was suggested to have a conference call / discussion. We never heard from
them again.
CREDITS:
Vanja Hrustic
Fyodor Yarochkin
Thomas Dullien
__________________________________________________________
S.A.F.E.R. - Security Alert For Enterprise Resources
Copyright (c) 2000 The Relay Group
http://www.safermag.com ---- security@relaygroup.com
__________________________________________________________
|