Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise

From: Erik Fichtner (techsat_private)
Date: Thu Aug 26 1999 - 08:59:52 PDT

Next message: Olaf Kirch: "Re: [RHSA-1999:030-01] Buffer overflow in cron daemon"

Previous message: Aleph One: "Debian not vulnerable to recent cron buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 25, 1999 at 04:08:36PM -0400, X-Force wrote:
> Internet Security Systems (ISS) X-Force has discovered a vulnerability in
> the Netscape Enterprise Server and Netscape FastTrack Server. Netscape
> produces web servers and web browsers for individuals, small workgroups, and
> business professionals. An attacker can send the web server an overly long
> HTTP GET request, overflowing a buffer in the Netscape httpd service and
> overwriting the process's stack. This allows a sophisticated attacker to
> force the machine to execute any program code that is sent. The ISS X-Force
> has demonstrated that it is possible to use this vulnerability to execute
> arbitrary code as SYSTEM on the server, giving an attacker full control of
> the machine.
>
> Affected Versions:
>
> This vulnerability was tested on Enterprise 3.6sp2 and FastTrack 3.01.
>
> Fix Information:
>
> Apply the Enterprise 3.6 SP 2 SSL Handshake fix, available
> from Netscape at:
> http://www.iplanet.com/downloads/patches/detail_12_86.html.


Is this vulnerability in other versions of Enterprise server?   Does
it exist on all platforms?   Is this an issue only with the SSL server
(SSL Handshake? huh? what does THAT have to do with a GET request?) or
does this affect the entire server?   Are patches available for previous
versions of Enterprise server?

> Additional Information:
>
> To download the FlexCheck for this vulnerability for Internet Scanner 6.0,
> go to the following URL:
>
> http://download.iss.net/eval/ISNetscapeGetOverflowFlexCheck.exe


Oh, so the only way we're going to get anything resembling useful
information about wether we're running vulnerable servers is if we run out
and get a copy of Internet Scanner?


--
Erik Fichtner; Warrior SysAdmin (emf|techs)
http://www.obfuscation.org/~techs      N 38 53.055'  W 77 21.860'  764 ft.
"When you're having a bad day and it seems like people are trying your
patience to no end, remember, it takes 42 muscles to frown and only 4 to pull
the trigger on a decent sniper rifle."

Next message: Olaf Kirch: "Re: [RHSA-1999:030-01] Buffer overflow in cron daemon"
Previous message: Aleph One: "Debian not vulnerable to recent cron buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:02 PDT