WebSphere application server plugin issue & vendor fix

[Rude Yak <rudeyak () YAHOO COM>]

  I've had the opportunity to work with IBM WebSphere application server for a
few months now and, in the course of playing around with some buffer overrun
testing, a potential issue came up.  WebSphere uses the HTTP Host: header to
decide which WAS Virtual Host will service a particular request.  Based on this
feature, I decided to see what would happen if I sent huge amounts of data in
the Host: request header.  I found the following:

GET /servletsnoop HTTP/1.0
Host: xxxxxxxxxxxxxxxxxxxxxxxx(1092+ characters)

resulted in the following IBMHTTPD log entry:

[Fri May 26 12:00:54 2000] [notice] child pid 11306 exit signal Segmentation
Fault (11)

It turned out that, depending on how many bytes were in the Host: header, I
could cause the web server process to fault on either signal 11 (SIGSEGV) or
signal 10 (SIGBUS).  Here's the IBM HTTPD banner:

IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev

The machine on which I tested was a Solaris 2.6 server with IBMHTTPD and
WebSphere 3.0.2.  I verified that the problem was with the WAS plugin (and not
IBMHTTPD) by commenting out all references to the WAS DSO and running the same
requests - Apache/IBMHTTPD handled them appropriately.  Although it did not
look like any core dumps were generated and IBMHTTPD did not stop taking
requests, the process that handled that particular request did die rather
unceremoniously and the potential for abuse seemed significant enough that I
brought it up with the vendor.  IBM was able to reproduce the issue and stated
that it was not exploitable (used to gain access or elevated privilege on the
web server machine).  Nonetheless, the problem has since been fixed by IBM (and
verified onsite here), in WAS 3.0.2 fix pack 2, available at

http://www-4.ibm.com/software/webservers/appserv/efix.html



__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/