TGAD DoS VirtualVault Overview The VirtualVault operating system is HP's solution to secure electronic commerce. It is a B1 and B2 DoD compliant system that is becoming increasingly popular with big business, banks, etc., The main security mechanism in which VVOS is based upon is data partitioning. Data on the system is classified into one of four security classes, or 'vaults' -- INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH. The INSIDE vault houses the server's backend applications and databases. The OUTSIDE vault generally contains the internet front end and any necessary CGI binaries, etc. SYSTEM and SYSTEM HIGH are responsible for maintaining the external webpages and audit logs respectively. These vaults are totally segregated from each other and work essentially as separate machines. If a program requires access to either of the vaults it must be authenticated by HP's Trusted Gateway Proxy daemon. The TGP daemon filters all requests from the internet and forwards them to middleware server packages that safely reside behind the INSIDE vault. TGA Bug While the TGP daemon does a good job of ensuring the integrity of the request prior to forwarding data to its destination, the trusted gateway agent that is responsible for wrapping CGI requests does not check the length of the request prior to sending it to TGP. This poses a problem since TGA does not correctly handle request messages that are more than 512 bytes in length. The result is a trivial DoS attack on TGA and all services being wrapped by TGA. The bug was discovered during a penetration test on a client system running VVOS 3.01. A post was made to a CGI application residing on the system with a large string of characters. This was then sent to the trusted gateway agent, causing the daemon to crash, leaving the Netscape Enterprise Server unable to service further HTTP/SSL requests. The NES logs show the following: [07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports: ERROR: setup_connection(): Failed to transfer execution message to TGA daemon And when NES is started back up: [07/May/1999:16:28:18] info: successful server startup [07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301 [07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource temporarily unavailable) FIX Chris Hudel of HP was notified of this bug on Wednesday May 12, 1999. He stated that HP was aware of the problem and addressed it in patch PHSS 10747. However, I am not aware of HP releasing an official 'bug report' on this issue. Since I have encountered several VVOS systems this past week that have not been patched, and sysadmins unaware of this bug and patch, I decided to post the details publicly. NOTE: I have not tested this bug against PHSS 10747 and would appreciate input from those who have at fooat_private - John Daniele jdanieleat_private VOX: (416) 777-3759
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:01 PDT