Bugtraq mailing list archives
Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility
From: prg () N-M COM (Peter Grundl)
Date: Mon, 26 Jun 2000 12:02:15 +0200
Netscape Enterprise Server for NetWare Virtual Directory Vulnerability Advisory Code: VIGILANTE-2000001 Release Date: June 26, 2000 Systems Affected: NetWare 5.1 prior to support pack 1 NetWare 5.0 - all support packs Possibly older versions of NetWare as well (not tested) THE PROBLEM By issuing a malformed URL it is possible to cause a denial of service situation and/or execute arbitrary code on the server with the privileges of the web server. Here is a snippet from the log file to illustrate. Server XXXXXXXX halted XXXXX, XX March 2000 13.13.00 Abend 8 on P00: Server-5.00d: Page Fault Processor Exception (Error code 00000000) Registers: CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010 EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = D6C175C0 ESI = 61616161 EDI = 61616161 EBP = 61616161 ESP = D48F2F94 EIP = 61616161 FLAGS = 00010286 Address (61616161) exceeds valid memory limit EIP in UNKNOWN memory area Access Location: 0x61616161 Running process: NS Web Thread 7 Process Created by: NetWare Application Thread Owned by NLM: NSHTTPD.NLM Stack pointer: D48F31B4 OS Stack limit: D48E3480 Scheduling priority: 67371008 Wait state: 5050090 (Wait for interrupt) Stack: --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? The immediate effect of the problem if abused as denial of service is that all "executables" cease to respond, that is, /cgi-bin/, /lcgi/, /netbasic/, /perl/ etc., but as you can see, the EIP has been overwritten as well as the entire stack. Vendor Status: Informed around the beginning of April this year Fix: Novell has released a patch included in NetWare 5.1 Support Pack 1. Export(56 bit) URL: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956734 Domestic(128 bit) URL: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956733 Vendor URL: http://www.novell.com Program URL: http://www.novell.com/products/netscape_servers/ Copyright VIGILANTe 2000-06-26 Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: Please send suggestions, updates, and comments to: VIGILANTe mailto: info () vigilante com http://www.vigilante.com
Current thread:
- Why pine must never be sgid, (continued)
- Why pine must never be sgid Stan Bubrouski (Jun 23)
- sawmill5.0.21 old path bug & weak hash algorithm Cashdollar, Larry (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Tomasz Grabowski (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Bernhard Rosenkraenzer (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Gregory A Lundberg (Jun 27)
- ftpd: the advisory version Lamagra Argamal (Jun 23)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: ftpd: the advisory version Sebastian (Jun 26)
- [RHSA-2000:037-05] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 26)
- LeafChat Denial of Service Andrew Lewis (Jun 25)
- Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility Peter Grundl (Jun 26)
- Re: ftpd: the advisory version Bernd Luevelsmeyer (Jun 25)
- Re: WuFTPD: Providing *remote* root since at least1994 Peter Pentchev (Jun 23)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 25)
- Re: WuFTPD: Providing *remote* root since at least1994 Mikael Olsson (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Carson Gaspar (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Casper Dik (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Eric Hines (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Mikael Olsson (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 der Mouse (Jun 26)
- Re: WuFTPD: Providing *remote* root since at least1994 Henrik Nordstrom (Jun 27)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Henrik Nordstrom (Jun 27)