Bugtraq mailing list archives
Denial of Service Vulnerability in Sun AnswerBook2
From: Dave Monnier <dmonnier () INDIANA EDU>
Date: Mon, 13 Nov 2000 11:07:25 -0500
############################################################################## Topic: Denial of Service Vulnerability in Sun AnswerBook2 Date: 10/24/2000 Status: Vendor Contacted 10/10/2000, Currently unsolved Scope: Local and Remote Denial of Service Platforms: SunOS 5.6, Presumably any running AnswerBook2 Author(s): Dave Monnier, Dick Repasky ############################################################################## Unix Workstation Support Group Indiana University http://www.uwsg.iu.edu/ Denial of Service Vulnerability in Sun AnswerBook2 About Answerbook2 ----------------- Sun AnswerBook2 ships with a HTTP server (dwhttpd, DynaWeb's httpd) that allows users to access Solaris documentation using a web browser. By default the server listens on port 8888. Vulnerability description ------------------------- Sun's Answerbook fails under certain conditions to delete temporary files that are built by its print function, filling /tmp, and causing the system to fail because processes cannot fork. Briefly, the dwhttp print function builds Postscript files in /tmp and downloads them to the user's browser. It deletes Postscript files after they are successfully sent to the browser. It fails to delete postcript files if the requesting TCP connection is broken before files are completely built and sent to the browser. Undeleted files can be large, and they are more likely to be large than small. First, some printed documents are in excess of 50mb. Second, users often abort print requests for large documents because the requests require a long time to fulfill and users believe that their requests have failed. Users often try again. Relatively few large requests are necessary to fill a reasonably sized /tmp directory. When /tmp fills Solaris fails because /tmp is used for swap. If/when /tmp fills, swap space eventually also fills preventing additional procesees from being swapped. Eventually system memory will fill causing a failure of process spawning alltogether. So far as we know it is not possible to configure the Answerbook dwhttp server to use a directory other than /tmp for generating Postscript. Fix information --------------- No official fix. Non-malicious use of Answerbook can be prevented from crashing Solaris by a cron job that cleans Answerbook Postscript files from /tmp very frequently. A suitable frequency depends upon the size of /tmp, the amount of swapping activity on a system and demand for Answerbook. Answerbook Postscript files can be globbed using dweb*.ps. The only known safe-guard against malicious attack is to shutdown Answerbook. Additional information ---------------------- Sun was contacted on 10/10/2000 and again on 10/17/2000 regarding this issue. Sun responded 10/25/2000 without presenting a solution.
Current thread:
- Denial of Service Vulnerability in Sun AnswerBook2 Dave Monnier (Nov 14)
- Re: Denial of Service Vulnerability in Sun AnswerBook2 Charles J. Knipe (Nov 14)
- Re: Denial of Service Vulnerability in Sun AnswerBook2 GOMBAS Gabor (Nov 14)