Re: Netscape FastTrack httpd remote exploit

From: Max Vision (visionat_private)
Date: Fri Dec 31 1999 - 11:51:44 PST

Next message: Todd C. Miller: "Re: vibackup.sh"

Previous message: Max Vision: "Re: Analysis of "stacheldraht" + arachNIDS"
Maybe in reply to: Brock Tellier: "Netscape FastTrack httpd remote exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This attack can now be detected by the following IDS signatures:

http://dev.whitehats.com/cgi/test/new.pl/Show?_id=web-netscape-overflow-unixware
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=outgoing_xterm
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=nops-x86

These signatures are also available as part of
http://dev.whitehats.com/ids/vision.conf

Note that each record includes packet traces from usage of an actual
exploit attempt.

Max Vision
http://whitehats.com/   <- free tools, forums, IDS database
http://maxvision.net/

On Fri, 31 Dec 1999, Brock Tellier wrote:
> OVERVIEW
> A vulnerability in Netscape FastTrack 2.01a will allow any remote user to
> execute commands as the user running the httpd daemon (probably nobody).  This
> service is running by default on a standard UnixWare 7.1 installation.
>
> /** uwhelp.c - remote exploit for UnixWare's Netscape FastTrack
>  **            2.01a scohelp http service
>  **

Next message: Todd C. Miller: "Re: vibackup.sh"
Previous message: Max Vision: "Re: Analysis of "stacheldraht" + arachNIDS"
Maybe in reply to: Brock Tellier: "Netscape FastTrack httpd remote exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:24 PDT