[ISN] EEYE: Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

From: InfoSec News (isnat_private)
Date: Thu Aug 08 2002 - 23:26:40 PDT

  • Next message: InfoSec News: "[ISN] Microsoft plugs holes in Content Management Server"

    Forwarded from: "Marc Maiffret" <marcat_private>
    
    Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow
    
    Release Date: August 8, 2002
    
    Severity:
    High (Remote SYSTEM/ROOT)
    
    Systems Affected:
    iPlanet 6.0 and prior
    
    Description:
    A vulnerability in transfer chunking can be exploited to remotely execute
    code of an attacker's choice on a vulnerable machine. By sending a carefully
    crafted session, an attacker can overwrite a section of the heap. Various
    data structures in the overwritten heap can be manipulated to move attacker
    supplied data to attacker supplied memory addresses, thereby altering the
    flow of execution into an attacker supplied payload.
    
    Note this variant is not the integer overflow affecting IIS and Apache that
    was discovered during regression testing with Microsoft. This is another
    variant relating to incorrect size calculation.
    
    The following example will show the vulnerable condition:
    
    **************Begin Session****************
    POST /EEYE.html HTTP/1.1
    Host: www.EEYE2002.com
    Transfer-Encoding: chunked
    Content-Length: 22
    
    4
    EEYE
    7FFFFFFF
    [DATA]
    **************End Session******************
    
    [DATA] will overwrite heap memory. Increase or decrease depending on
    implementation.
    
    Technical Description:
    The example session above overwrites a section of the heap that contains
    data structures related to the Memory management system. By manipulating the
    content of these structures, we can overwrite an arbitrary 4 bytes of memory
    with an attacker supplied address.
    
    It is widely assumed that the risk for these type of vulnerabilities is
    fairly low due to the fact that addressing is dynamic and that you must use
    brute force in your attack; however, this is false assumption and
    exploitation can be successful with one attempt, across dll versions. An
    attacker can overwrite static global variables, stored function pointers,
    process management structures, memory management structures, or any number
    of data types that will allow him to gain control of the target application
    in one session.
    
    Vendor Status:
    Sun has released a security bulletin and patch:
    http://www.sun.com/service/support/software/iplanet/alerts/transferencodinga
    lert-23july2002.html
    
    Credit: Riley Hassell
    
    Greetings:
    Eli, Kasia, Halvar, FX, and the three amigos K2, Dark Spyrit, and Joey.
    
    Copyright (c) 1998-2002 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alertat_private for
    permission.
    
    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.
    
    Feedback
    Please send suggestions, updates, and comments to:
    
    eEye Digital Security
    http://www.eEye.com
    infoat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 09 2002 - 02:01:00 PDT