SUMMARY/WARNING: AnswerBook2 DoS bug

From: Jamie Lawrence (jalat_private)
Date: Thu Apr 30 1998 - 10:51:36 PDT

Next message: Theo de Raadt: "Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw"

Previous message: tonyat_private: "SunSec ## 169"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Sender: sun-managers-relayat_private
>Date: Thu, 30 Apr 1998 12:00:53 +0200
>From: andersat_private (Thomas Anders)
>Followup-to: andersat_private (Thomas Anders)
>Reply-To: andersat_private
>X-Www-Homepage: http://www.hmi.de/people/anders/
>X-Disclaimer: I only speak 4 myself - if at all
>X-Mailer: Z-Mail (4.0.1 13Jan97)
>To: sun-managersat_private (Sun-Managers List)
>Subject: SUMMARY/WARNING: AnswerBook2 DoS bug
>
>Hello,
>
>already in December 1997 I discovered a serious bug in the AnswerBook2
>server dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition). With
>a simple socket connection to the AB2 port (default: 8888), *anyone* on
>the network with access to that port (default: everybody, see below) can
>bring the server to spin and deny further responses:
>
>- --- snip ---
>  HTTP/1.0 500 Server Error
>  Server: dwhttpd/3.1a4 (Inso; sun5)
>  [...]
>
>  The server currently lacks the resources needed to handle your request.
>  Please try again later.
>- --- snap ---
>
>The affected dwhttpd process will eat one cpu, with possible impact on
>other services. (MP machines will still have some cpus available.)
>
>I reported this to Sun who filed a bug report
>
>       bug/sherlock/server/4099376
>       HTTP 1.0 HEAD request brings the dwhttpd to spin
>
>and assigned priority "fix within 3 months". AB2 technology is a
>third-party product, so Sun filed a bug with Inso who provides
>dwhttpd as part of their DynaWeb toolkit. Five months later (!)
>now they finally claim: it's fixed in dwhttpd/4.0 which will ship
>with Solaris 2.7. Still no patch for the existing AB2 package!
>
>What you can do:
>
>Q: Do I run dwhttpd?
> A: Check for packages SUNWab2r, SUNWab2s and SUNWab2u.
>    Check if dwhttpd is invoked at system startup (/etc/rc2.d/S96ab2mgr)
>    Check with "ps -ef | grep dwhttpd"
>
>Q: Is my AB2 server really vulnerable?
> A: If you don't believe it, check yourself - the source code for a
>    sample "AB2 DoS attack program" (that I gave Sun to reproduce the bug)
>    is included in the bug report (wow - Sun publishes exploit scripts!).
>
>Q: I'm vulnerable - what can I do?
> A: 1. The only real fix is "/etc/init.d/ab2mgr stop" (which is a DoS
>        itself :)
>    2. Restrict the access to your AB2 server port to particular clients
>       (e.g. intranet only) by tcp-wrapper or firewall setup.
>*** 3. Get nervous, call Sun, request a patch for this bug now. ***
>
>
>I hope we can get Sun/Inso to produce a *patch* soon.
>If there are any substantial news I will summarize again.
>
>
>Best regards,
>Thomas
>
>--
>Thomas Anders <andersat_private>
>Hahn-Meitner-Institut Berlin, Germany
>
>

Next message: Theo de Raadt: "Re: CERT Vendor-Initiated Bulletin VB-98.04 - xterm.Xaw"
Previous message: tonyat_private: "SunSec ## 169"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:51 PDT