From security@RELAYGROUP.COM Thu Oct 26 15:24:45 2000 From: Security Research Team X-Sender: security@emx.siamrelay.com To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 26 Oct 2000 20:41:28 +0700 Subject: [BUGTRAQ] Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module __________________________________________________________ S.A.F.E.R. Security Bulletin 001026.EXP.1.8 __________________________________________________________ TITLE : Buffer overflow in iPlanet Web Server 4 server side SHTML parsing module DATE : October 26, 2000 NATURE : Remote execution of code, Denial-of-Service AFFECTED : Confirmed on Solaris, Linux and Windows NT PROBLEM: Buffer overflow exists in iPlanet Web Server 4.x, which can lead to Denial-of-Service or remote execution of code in context of user which iWS webserver is running as. 'Parsed HTML' option (server side parsing) must be enabled for vulnerability to be exploited. DETAILS: By sending a request of 198-240 characters (depending on the iWS version/platform) with extension .shtml (by default), it is possible to overflow internal buffer in stack. iWS must have server side 'parsing' turned on. By default (when enabled), .shtml files are parsed. Overflow happens in logging function (when iWS tries to report that file is not found). If exploitation is successful (or iWS segfaults), nothing will remain in the logs. EXPLOIT: Exploit will be released in 2 weeks (this is subject to change). FIXES: Workaround is to disable server side parsing of HTML pages. We are not aware of any vendor fixes for this issue. Vendor has been notified on multiple instances (including mass-mailing to every single vendor email we could find) about this and other problems during January and February (including '?wp tags' - see http://www.safermag.com/advisories/0008.shtml). The vendor published a workaround for ?wp tags, but we have received no feedback on the SHTML problem. On March 23rd we contacted Sun/iPlanet again and on March 24th it was suggested to have a conference call / discussion. We never heard from them again. CREDITS: Vanja Hrustic Fyodor Yarochkin Thomas Dullien __________________________________________________________ S.A.F.E.R. - Security Alert For Enterprise Resources Copyright (c) 2000 The Relay Group http://www.safermag.com ---- security@relaygroup.com __________________________________________________________