Advisories : Denial of Service Vulnerability in Sun AnswerBook2

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Denial of Service Vulnerability in Sun AnswerBook2

Title:	Denial of Service Vulnerability in Sun AnswerBook2
Released by:	Dave Monnier, Dick Repasky
Date:	13th November 2000
Printable version:	Click here

##############################################################################

Topic: Denial of Service Vulnerability in Sun AnswerBook2

Date: 10/24/2000

Status: Vendor Contacted 10/10/2000, Currently unsolved

Scope: Local and Remote Denial of Service

Platforms: SunOS 5.6, Presumably any running AnswerBook2

Author(s): Dave Monnier, Dick Repasky

##############################################################################



    Unix Workstation Support Group

          Indiana University

http://www.uwsg.iu.edu/



Denial of Service Vulnerability in Sun AnswerBook2





About Answerbook2

-----------------



Sun AnswerBook2 ships with a HTTP server (dwhttpd, DynaWeb's httpd) that

allows users to access Solaris documentation using a web browser.



By default the server listens on port 8888.



Vulnerability description

-------------------------



Sun's Answerbook fails under certain conditions to delete temporary files

that are built by its print function, filling /tmp, and causing the system

to fail because processes cannot fork.  Briefly, the dwhttp print function

builds Postscript files in /tmp and downloads them to the user's browser.

It deletes Postscript files after they are successfully sent to the

browser.  It fails to delete postcript files if the requesting TCP

connection is broken before files are completely built and sent to the

browser.  Undeleted files can be large, and they are more likely to be

large than small.  First, some printed documents are in excess of 50mb.

Second, users often abort print requests for large documents because the

requests require a long time to fulfill and users believe that their

requests have failed.  Users often try again.  Relatively few large

requests are necessary to fill a reasonably sized /tmp directory.  When

/tmp fills Solaris fails because /tmp is used for swap.  If/when /tmp

fills, swap space eventually also fills preventing additional procesees

from being swapped. Eventually system memory will fill causing a failure

of process spawning alltogether.



So far as we know it is not possible to configure the Answerbook

dwhttp server to use a directory other than /tmp for generating

Postscript.



Fix information

---------------



No official fix.



Non-malicious use of Answerbook can be prevented from crashing Solaris

by a cron job that cleans Answerbook Postscript files from /tmp very

frequently.  A suitable frequency depends upon the size of /tmp,

the amount of swapping activity on a system and demand for Answerbook.

Answerbook Postscript files can be globbed using dweb*.ps.



The only known safe-guard against malicious attack is to shutdown

Answerbook.



Additional information

----------------------



Sun was contacted on 10/10/2000 and again on 10/17/2000 regarding this

issue.   Sun responded 10/25/2000 without presenting a solution.