OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Netscape Enterprise Server for NetWare Virtual Directory Vulnerab ility
From: Peter Grundl (prgN-M.COM)
Date: Mon Jun 26 2000 - 05:02:15 CDT


Netscape Enterprise Server for NetWare Virtual Directory Vulnerability

Advisory Code: VIGILANTE-2000001

Release Date:
June 26, 2000

Systems Affected:
NetWare 5.1 prior to support pack 1
NetWare 5.0 - all support packs
Possibly older versions of NetWare as well (not tested)

THE PROBLEM
By issuing a malformed URL it is possible to cause a denial of service
situation and/or execute arbitrary code on the server with the privileges of
the web server. Here is a snippet from the log file to
illustrate.

Server XXXXXXXX halted XXXXX, XX March 2000 13.13.00
Abend 8 on P00: Server-5.00d: Page Fault Processor Exception (Error code
00000000)

Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = D6C175C0
ESI = 61616161 EDI = 61616161 EBP = 61616161 ESP = D48F2F94
EIP = 61616161 FLAGS = 00010286
Address (61616161) exceeds valid memory limit
EIP in UNKNOWN memory area
Access Location: 0x61616161

Running process: NS Web Thread 7 Process
Created by: NetWare Application
Thread Owned by NLM: NSHTTPD.NLM
Stack pointer: D48F31B4
OS Stack limit: D48E3480
Scheduling priority: 67371008
Wait state: 5050090 (Wait for interrupt)
Stack: --61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?
--61616161 ?

The immediate effect of the problem if abused as denial of service is that
all "executables" cease to respond, that is, /cgi-bin/, /lcgi/, /netbasic/,
/perl/ etc., but as you can see, the EIP has been overwritten as well as the
entire stack.

Vendor Status:
Informed around the beginning of April this year

Fix:
Novell has released a patch included in NetWare 5.1 Support Pack 1.
Export(56 bit) URL:
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956734
Domestic(128 bit) URL:
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956733

Vendor URL: http://www.novell.com
Program URL: http://www.novell.com/products/netscape_servers/

Copyright VIGILANTe 2000-06-26

Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

Feedback:
Please send suggestions, updates, and comments to:

VIGILANTe
mailto: infovigilante.com
http://www.vigilante.com