Bugtraq mailing list archives
Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Web Servers]
From: jason.axley () ATTWS COM (Jason Axley)
Date: Wed, 1 Sep 1999 14:01:53 -0700
Just to keep y'all updated, and to summarize what's known so far: 1) The ISS advisory sucks (no details, didn't mention that it was NT-only or that Solaris wasn't vulnerable, they supposedly worked with Netscape on this, but don't have more specific info about which platforms/versions are vulnerable, and it does not mention that the fix is included in the SSL handshake fix (leaving folks to wonder "huh?" when told to apply a fix that doesn't seem to have any relation to the problem)) 2) Netscape surreptitiously fixed a serious buffer overflow bug and included it in the SSL handshake patch and didn't notify anyone of the bug's existence (to this day there isn't any verbage at http://www.iplanet.com/downloads/patches/detail_12_86.ht ml that mentions this GET overflow). Bad Netscape...no cookie! 3) The information in the database at www.securityfocus.com about this vulnerability is either wrong or they know something we don't because it lists specific operating systems and Netscape product versions not mentioned on BugTraq or in the ISS advisory. 4) The advisory mentions NES 3.6sp2 as being vulnerable. I have since used the ISS scanner and the NetscapeGetOverflowFlexCheck to verify that NES 3.5.1 on NT is also vulnerable. Solaris is not vulnerable (at least to this specific variant ;^>). 5) Myself and at least another individual who contacted me are interested in finding out what the FlexCheck is doing so that we can post details on what the problem is and perhaps why UNIX versions don't appear to be vulnerable. If I find anything else out, I'll "open- source" the details so that those without ISS scanner can confirm whether their systems are vulnerable or not. 5) I'm not the only one annoyed by the terse, disconnected advisories from ISS X-Force of late. -Jason Quoting X-Force <xforce () ISS NET>:
Comments within. Erik Fichtner wrote:Is this vulnerability in other versions of
Enterprise server?
We tested the vulnerability against the current
releases of Enterprise
and Fasttrack. Earlier versions may be vulnerable,
but they were not
tested against.Does it exist on all platforms?No, our advisory effects only NT, Solaris was
tested against and found
not vulnerable. AIX and other platforms were not
tested against and
these platforms potentially could be vulnerable.Is this an issue only with the SSL server (SSL
Handshake? huh? what does
THAT have to do with a GET request?) or does this
affect the entire
server?Netscape decided to combine the GET overflow patch
in with an SSL
problem. This vulnerability affects the entire
server. Netscapes
handles their patch bundling, we have no involvment
with that.
Are patches available for previous versions of
Enterprise server?
Not that we know of, If previous versions are found
to be vulnerable
Netscape should be contacted and will issue a patch
at that time.
---- X-Force Internet Security Systems, Inc. (678) 443-6000 / http://xforce.iss.net/ Adaptive Network Security for the Enterprise
AT&T Wireless Services IT Security UNIX Security Operations Specialist
Current thread:
- Re: [Fwd: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Web Servers] Jason Axley (Sep 01)