__________________________________________________________ S.A.F.E.R. Security Bulletin 000229.EXP.1.3 __________________________________________________________ TITLE : Buffer Overflow in Netscape Enterprise Server DATE : February 29, 2000 NATURE : Denial-of-Service, Remote Code Execution PLATFORMS : Windows NT 4.0, possibly others DETAILS: Netscape Enterprise Server is a web server with long history of security problems. We have tested version 3.6 SP2 on Windows NT 4.0 Server edition, and found it to be vulnerable to a buffer overflow. PROBLEM: A buffer overflow exists in Netscape Enterprise Server version 3.6 SP2, and possibly others, which allows remote users to execute arbitrary code. The request which will cause httpd.exe process to crash is (for example): GET /[4080 x 'A'] HTTP/1.0 The method seems not to be important at all, but the length of the request does. You can use BLAH as a method (instead of GET), or any other string you wish. Dr. Watson pops up with a message: " Exception access violation (0xc0000005), Address 0x41414141 " Remote execution of code is possible. FIXES: The problem is present in Netscape Enterprise Server 3.6 SP2, running on Windows NT platform. We have also tested Netscape Enterprise Server 3.51I running on Solaris, and found it not to be vulnerable. Until the official statement from Netscape is released, consider the possibility that all versions are vulnerable. We have tried to contact Netscape and inform them about vulnerabilities (including this buffer overflow, and few others) in their web server, but have received no reply (or acknowledgments) until now. This problem has been found 3 months ago, Netscape has been contacted in January 2000 on several occasions. We would be happy if Netscape can contact us, so that we can let them know about few more security problems that have been found in Netscape Enterprise Server. JOB OFFERS: The Relay Group is seeking security enthusiasts with vast experience in intrusion testing, and firewall/IDS configuration. For more information, please visit: http://relaygroup.com/secjobs.html ___________________________________________________________ S.A.F.E.R. - Security Alert For Entreprise Resources Copyright (c) 2000, The Relay Group http://www.safermag.com ---- securityat_private ___________________________________________________________
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:24 PDT