OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Weld Pond (weldATSTAKE.COM)
Date: Fri Apr 20 2001 - 09:39:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                 stake, Inc.
                               www.atstake.com

                         Security Advisory Notification

    Advisory Name: iPlanet Web Server Enterprise Edition 4.0, 4.1
                      Response Header Overflow
        Release Date: 04/16/2001
         Application: iPlanet Web Server Enterprise Edition 4.0, 4.1
            Platform: Solaris (2.6/7/8)
                      Windows (NT 4.0/2000)
                      Linux (2.2/2.4)
            Severity: An attacker can retrieve user requests, cookies, log
                      data, user names, passwords, etc.
              Author: Kevin Dunn (kdunnatstake.com)
                      Chris Eng (cengatstake.com)
    Vendor Status: vendor has service pack and NSAPI module
    CVE Candidate: CAN-2001-0327
           Reference: www.atstake.com/research/advisories/2001/a041601-1.txt

    Summary:

    The iPlanet Web Server Enterprise Edition is a commercial web server
    used by organizations to serve up static web content, as well as deliver
    dynamic, personalized content retrieved from an application server or
    database backend. It is one of the three most popular web servers found
    on the Internet today, and a large number of secure, transactional
    application sites use the iPlanet Web Server as their front-end web
    server.

    The iPlanet Web Server has an implementation flaw that allows any remote
    user to retrieve data from the memory allocation pools on the running
    server. The retrieved data usually consists of fragments from previous
    HTTP requests and responses, including session identifiers, cookies,
    form submissions, usernames and passwords, etc.

    In the example of a home banking application deployed by a
    financial institution, this would grant an attacker access to any
    user accounts that logged in within some reasonable time before the
    attack was launched. Supplied with a valid session identifier, the
    application has no way of differentiating between the legitimate user
    and the attacker before executing transfers, bill payments, equity
    trades, etc. If persistent authentication credentials are used, in
    the form of a "remember my password" or "autologin" feature, these
    credentials could be used at any point in the future to access the
    user's account.

    This is a buffer overflow vulnerability in which improper
    handling of response header values permits access to unauthorized
    data. This vulnerability can be used by an attacker to retrieve
    authentication and authorization credentials or to hijack existing
    user sessions. The vulnerability can be exploited without crashing
    the server and may occur within an SSL tunnel, making it extremely
    difficult to detect. Requests can also be routed through anonymizing
    proxies making it difficult to trace the request's origin.

    Netscape Enterprise Server 3.6x does not appear to be vulnerable.

    Under certain conditions, this vulnerability may also be used as a
    denial of service attack.

    Vendor Response:

    iPlanet has acknowledged that the above described problem exists and
    that it affects its iPlanet Web Server 4.x product line. iPlanet has
    committed to addressing this vulnerability by issuing a fix on April 16
    to be made available in two formats simultaneously: an upgrade,
    iWS 4.1 SP7 and an NSAPI module that will shield the earlier versions
    of the server from the problem. These fixes, which will wholly mitigate
    the risk posed by this vulnerability, are available at:

    http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert4.16.html

    with implementation instructions and information on which fix is most
    appropriate for which cases.

    Advisory Reference:

    http://www.atstake.com/research/advisories/2001/a041601-1.txt

    ** The advisory contains additional information. We encourage those
    ** effected by this issue to read the advisory.
    **
    ** All vulnerablity database maintainers should reference the above
    ** advisory reference URL to refer to this advisory.

    Advisory policy: http://www.atstake.com/research/policy/
    For more advisories: http://www.atstake.com/research/advisories/
    PGP Key: http://www.atstake.com/research/pgp_key.asc

    Copyright 2001 stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBOtvCPlESXwDtLdMhEQJwdACguQ0GKYH3eZLlhmrZSObFT1ieLQgAoO1p
    G1EIitv0v0dl2stXdfDUpPBb
    =gHXx
    -----END PGP SIGNATURE-----