Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Chris Wysopal (weldvulnwatch.org)
Date: Wed Jan 09 2002 - 10:43:47 CST
ProCheckUp Security Bulletin PR01-04
Description: Netscape ?wp-html-rend denial of service attack
Date Public: 08/01/2002
Application: Netscape Enterprise 4.0 SP2,SP6 to 4.1 SP8
Platform: Windows NT
Severity: Remote attackers can shut down servers remotely
Author: Richard Brain
Vendor Status: Netscape has released a fix
CVE Candidate: Not assigned
Remote attackers can easily disable unpatched Netscape Enterprise servers
running on Windows NT with publishing enabled. http://server/?wp-html-rend
is entered in the WebBrowser, it might need to be entered multiple times to
stop the service.
Remote attackers can easily perform a denial of service attack on Netscape
Enterprise servers running with Windows NT.
Netscape Enterprise has a selection of ?wp-* (Web publishing) commands
built into the web server. We have found using one of these commands
?wp-html-rend reliably performs a denial of service attack, by stopping the
running Netscape Enterprise service (v4.0) Or the iWS service (v4.1)
Publishing needs to be enabled for this to work. Netscape 4.0 SP6 seems to
be less susceptible requiring multiple ?wp-html-rend requests to crash.
The service has to be restarted manually, for the server to function
properly again. We do not believe it is possible to use this exploit to
remotely execute code.
?wp-html-rend is one of the wp command's, provided by Netscapes
To discover if publishing is enabled without crashing your NT servers,
enter the following url http://server/publisher if publishing is enabled a
page should appear.
Our test platforms for this vulnerability were conducted on Intel NT4 SP6
server, and Sparc Solaris Server 2.6.
The ?wp-html-rend command is not useful in iWS 4.x. You can disable it by
using the attached NSAPI SAF. To install the SAF, load the disrend.dll on
your system and add the following lines to your obj.conf. The PathCheck
line should be the first PathCheck listed.
Init fn="load-modules" funcs="disRend" shlib="/disrend.dll"
Netscape has released the file disrend.dll
To see the vulnerability release go to iPlanet/7761
For related topics go to iPlanet/4302
Copyright 2001 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if, the bulletin is not edited or changed in any way, is attributed to
ProCheckUp, and provided such reproduction and/or distribution is performed
for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not liable
for any misuse of this information by any third party.