For anyone who didn't figure out in the first two seconds after installing Solaris that running Sun's (well, ok, it is some third party server but Sun is licensing it) answerbook web server is silly, now you know. I do not know if any of the below has been fixed by more recent patches and haven't looked at it since the start of May when I sent the below to Sun. ---------- Forwarded message ---------- Date: Sat, 2 May 1998 00:42:05 -0600 (MDT) From: Marc Slemko <marcsat_private> To: security-alertat_private Subject: report ab2 web server is junk Are you aware of what a pile of junk the dwhttpd/3.1a4 web server that is installed for the ab2 stuff in 2.6 is? It is trivial to make it stop processing CGI requests by doing a POST with a large content-length; further CGI requests then fail with an out of memory or something. It doesn't handle %-encoding and logs in a funky way, which results in URLs with printf-style '%' strings in getting funky log entries. For example, accessing http://apollo:8888/foo/%s gives a log entry of: http-8888 [02/May/2000:00:24:12 -0600] warning: send-file reports: The requested8ãÿß$þßGÇßßÇßÓ×Èߪä¾ÈßÊ" could not be opened! It is interpreting the %s as a printf style format string. This could, if you can find the right error message and have the right junk memory accessed, possibly compromise information from the address space of the server that shouldn't be compromised. Not likely, but possible. Note that this mishandling of %-encoded strings also rejects valid requests that are % encoded, but the server doesn't even start to be HTTP compliant so that probably doesn't matter. You can cause it to core dump trivially in many ways. Requesting /foo.cgi makes it die, as does a request that is long enough to get an ENAMETOOLONG (causes it to try opening ""), or even longer (causes it to die with an assertion failure): Assertion failed: buffer && len > 0 && timeout >= 0, file ../dwhttpd/dwsocket.cc, line 294\n All of the above is lame and can possibly result in some security problems, but since this server obviously isn't intended to have any real use then the DoS attacks aren't overly serious. None of these appear to be buffer overflow problems. More serious, however, is this excerpt from a truss of it handling a request: poll(0xDED00A60, 1, 120000) = 1 recv(12, " G E T / H T T P / 1".., 4096, 0) = 261 xstat(2, "/usr/lib/ab2/data/docs/", 0xDED03BB4) = 0 xstat(2, "/tmp/ecm/utf8.so", 0xDED03024) Err#2 ENOENT xstat(2, "/usr/lib/ab2/lib/ecm/utf8.so", 0xDED03024) Err#2 ENOENT xstat(2, "/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", 0xDED03024) = 0 open("/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", O_RDONLY) = 13 Why the heck is it trying to open a shared library under /tmp? I see nothing stopping me from creating my own trojaned utf8.so and putting it in /tmp/ecm to gain easy access to the daemon uid. I don't think I did anything locally to cause it to do this, but I can't see where it is getting /tmp from either. It isn't in the LD_LIBRARY_PATH that is getting set by /etc/init.d/ab2mgr. No, access to daemon doesn't give you that much (although it could do more if you had some NFS mounts from another server where it did matter) and none of the above is a remote exploit, but finding all this in 15 minutes of looking is enough to convince me that there is a high probability of their being some yet-unpublished remote exploit to gain access to the box remotely. Doesn't look like a very professional piece of software. Just another thing on my list of things to disable on any Solaris installation. Some of this may be x86 specific, didn't bother to look on a sparc box. Tests done on the below system: Hostname: apollo Hostid: 208316d8 Release: 5.6 Kernel architecture: i86pc Application architecture: i386 Hardware provider: Domain: Kernel version: SunOS 5.6 Generic 105182-04 January 1998 OpenWindows version: OpenWindows Version 3.6 7 July 1997 Patch: 105402-07 Obsoletes: 105525-01 Requires: Incompatibles: Packages: SUNWcsu, SUNWarc, SUNWnisu Patch: 105217-03 Obsoletes: Requires: 105402-07 Incompatibles: Packages: SUNWcsu Patch: 105394-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105519-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105666-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105668-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105616-03 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105622-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc Patch: 105687-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105756-03 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105737-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105758-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105747-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105725-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105723-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105719-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105569-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105563-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWnisu Patch: 105517-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105491-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo, SUNWosdem Patch: 105406-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc Patch: 105398-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu Patch: 105211-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc Patch: 105423-04 Obsoletes: Requires: Incompatibles: Packages: SUNWcar Patch: 105461-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcar Patch: 105182-04 Obsoletes: Requires: Incompatibles: Packages: SUNWcar, SUNWcar, SUNWhea, SUNWhea Patch: 105639-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcar Patch: 105620-01 Obsoletes: Requires: Incompatibles: Packages: SUNWxwplt Patch: 105670-02 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas Patch: 105631-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas Patch: 105161-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas Patch: 105417-01 Obsoletes: Requires: Incompatibles: Packages: SUNWaccu Patch: 105801-01 Obsoletes: Requires: Incompatibles: Packages: SUNWadmap Patch: 105229-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105305-03 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105240-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr Patch: 105232-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr Patch: 105596-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105584-09 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105599-09 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 105656-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105226-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 105247-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr Patch: 105248-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 105674-03 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 105728-07 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 105611-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman Patch: 106189-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r Patch: 105422-01 Obsoletes: Requires: Incompatibles: Packages: SUNWapppr Patch: 105473-01 Obsoletes: Requires: Incompatibles: Packages: SUNWatfsu Patch: 105838-02 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdte Patch: 105704-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdte Patch: 105567-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdmn Patch: 105498-01 Obsoletes: Requires: Incompatibles: Packages: SUNWoldst Patch: 105559-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdst Patch: 105339-04 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdst, SUNWdthev, SUNWdtma Patch: 105744-01 Obsoletes: Requires: Incompatibles: Packages: SUNWfns Patch: 105200-03 Obsoletes: Requires: Incompatibles: Packages: SUNWxwpls, SUNWxwscf Patch: 105194-03 Obsoletes: 103500-08 Requires: Incompatibles: Packages: SUNWxwpls Patch: 105553-01 Obsoletes: Requires: Incompatibles: Packages: SUNWnisu Patch: 105404-01 Obsoletes: Requires: Incompatibles: Packages: SUNWnisu Patch: 105617-02 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr Patch: 106136-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr Patch: 106203-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr Patch: 105209-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdpr Patch: 106126-02 Obsoletes: Requires: Incompatibles: Packages: SUNWswmt Patch: 105427-01 Obsoletes: Requires: Incompatibles: Packages: SUNWtnfc Patch: 105408-01 Obsoletes: Requires: Incompatibles: Packages: SUNWvolu Patch: 105201-01 Obsoletes: Requires: Incompatibles: Packages: SUNWxi18n
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:25 PDT