Denial of Service Vulnerability in Sun AnswerBook2

[Dave Monnier <dmonnier () INDIANA EDU>]

##############################################################################
Topic: Denial of Service Vulnerability in Sun AnswerBook2
Date: 10/24/2000
Status: Vendor Contacted 10/10/2000, Currently unsolved
Scope: Local and Remote Denial of Service
Platforms: SunOS 5.6, Presumably any running AnswerBook2
Author(s): Dave Monnier, Dick Repasky
##############################################################################

                    Unix Workstation Support Group
                          Indiana University
                        http://www.uwsg.iu.edu/

        Denial of Service Vulnerability in Sun AnswerBook2


About Answerbook2
-----------------

Sun AnswerBook2 ships with a HTTP server (dwhttpd, DynaWeb's httpd) that
allows users to access Solaris documentation using a web browser.

By default the server listens on port 8888.

Vulnerability description
-------------------------

Sun's Answerbook fails under certain conditions to delete temporary files
that are built by its print function, filling /tmp, and causing the system
to fail because processes cannot fork.  Briefly, the dwhttp print function
builds Postscript files in /tmp and downloads them to the user's browser.
It deletes Postscript files after they are successfully sent to the
browser.  It fails to delete postcript files if the requesting TCP
connection is broken before files are completely built and sent to the
browser.  Undeleted files can be large, and they are more likely to be
large than small.  First, some printed documents are in excess of 50mb.
Second, users often abort print requests for large documents because the
requests require a long time to fulfill and users believe that their
requests have failed.  Users often try again.  Relatively few large
requests are necessary to fill a reasonably sized /tmp directory.  When
/tmp fills Solaris fails because /tmp is used for swap.  If/when /tmp
fills, swap space eventually also fills preventing additional procesees
from being swapped. Eventually system memory will fill causing a failure
of process spawning alltogether.

So far as we know it is not possible to configure the Answerbook
dwhttp server to use a directory other than /tmp for generating
Postscript.

Fix information
---------------

No official fix.

Non-malicious use of Answerbook can be prevented from crashing Solaris
by a cron job that cleans Answerbook Postscript files from /tmp very
frequently.  A suitable frequency depends upon the size of /tmp,
the amount of swapping activity on a system and demand for Answerbook.
Answerbook Postscript files can be globbed using dweb*.ps.

The only known safe-guard against malicious attack is to shutdown
Answerbook.

Additional information
----------------------

Sun was contacted on 10/10/2000 and again on 10/17/2000 regarding this
issue.   Sun responded 10/25/2000 without presenting a solution.