>Sender: sun-managers-relayat_private >Date: Thu, 30 Apr 1998 12:00:53 +0200 >From: andersat_private (Thomas Anders) >Followup-to: andersat_private (Thomas Anders) >Reply-To: andersat_private >X-Www-Homepage: http://www.hmi.de/people/anders/ >X-Disclaimer: I only speak 4 myself - if at all >X-Mailer: Z-Mail (4.0.1 13Jan97) >To: sun-managersat_private (Sun-Managers List) >Subject: SUMMARY/WARNING: AnswerBook2 DoS bug > >Hello, > >already in December 1997 I discovered a serious bug in the AnswerBook2 >server dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition). With >a simple socket connection to the AB2 port (default: 8888), *anyone* on >the network with access to that port (default: everybody, see below) can >bring the server to spin and deny further responses: > >- --- snip --- > HTTP/1.0 500 Server Error > Server: dwhttpd/3.1a4 (Inso; sun5) > [...] > > The server currently lacks the resources needed to handle your request. > Please try again later. >- --- snap --- > >The affected dwhttpd process will eat one cpu, with possible impact on >other services. (MP machines will still have some cpus available.) > >I reported this to Sun who filed a bug report > > bug/sherlock/server/4099376 > HTTP 1.0 HEAD request brings the dwhttpd to spin > >and assigned priority "fix within 3 months". AB2 technology is a >third-party product, so Sun filed a bug with Inso who provides >dwhttpd as part of their DynaWeb toolkit. Five months later (!) >now they finally claim: it's fixed in dwhttpd/4.0 which will ship >with Solaris 2.7. Still no patch for the existing AB2 package! > >What you can do: > >Q: Do I run dwhttpd? > A: Check for packages SUNWab2r, SUNWab2s and SUNWab2u. > Check if dwhttpd is invoked at system startup (/etc/rc2.d/S96ab2mgr) > Check with "ps -ef | grep dwhttpd" > >Q: Is my AB2 server really vulnerable? > A: If you don't believe it, check yourself - the source code for a > sample "AB2 DoS attack program" (that I gave Sun to reproduce the bug) > is included in the bug report (wow - Sun publishes exploit scripts!). > >Q: I'm vulnerable - what can I do? > A: 1. The only real fix is "/etc/init.d/ab2mgr stop" (which is a DoS > itself :) > 2. Restrict the access to your AB2 server port to particular clients > (e.g. intranet only) by tcp-wrapper or firewall setup. >*** 3. Get nervous, call Sun, request a patch for this bug now. *** > > >I hope we can get Sun/Inso to produce a *patch* soon. >If there are any substantial news I will summarize again. > > >Best regards, >Thomas > >-- >Thomas Anders <andersat_private> >Hahn-Meitner-Institut Berlin, Germany > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:51 PDT