OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Chris Wysopal (weldvulnwatch.org)
Date: Wed Jan 09 2002 - 10:43:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ProCheckUp Security Bulletin PR01-04

    CERT: VU#191763
    Description: Netscape ?wp-html-rend denial of service attack
    Date: 30/07/2001
    Date Public: 08/01/2002
    Application: Netscape Enterprise 4.0 SP2,SP6 to 4.1 SP8
    Platform: Windows NT
    Severity: Remote attackers can shut down servers remotely
    Author: Richard Brain
    Vendor Status: Netscape has released a fix
    CVE Candidate: Not assigned

    Description:

    Remote attackers can easily disable unpatched Netscape Enterprise servers
    running on Windows NT with publishing enabled. http://server/?wp-html-rend
    is entered in the WebBrowser, it might need to be entered multiple times to
    stop the service.

    Consequences:

    Remote attackers can easily perform a denial of service attack on Netscape
    Enterprise servers running with Windows NT.

    Detailed description:

    Netscape Enterprise has a selection of ?wp-* (Web publishing) commands
    built into the web server. We have found using one of these commands
    ?wp-html-rend reliably performs a denial of service attack, by stopping the
    running Netscape Enterprise service (v4.0) Or the iWS service (v4.1)

    Publishing needs to be enabled for this to work. Netscape 4.0 SP6 seems to
    be less susceptible requiring multiple ?wp-html-rend requests to crash.
    The service has to be restarted manually, for the server to function
    properly again. We do not believe it is possible to use this exploit to
    remotely execute code.

    ?wp-html-rend is one of the wp command's, provided by Netscapes
    content_mgr.dll
    To discover if publishing is enabled without crashing your NT servers,
    enter the following url http://server/publisher if publishing is enabled a
    page should appear.
    Our test platforms for this vulnerability were conducted on Intel NT4 SP6
    server, and Sparc Solaris Server 2.6.

    Solution:

    The ?wp-html-rend command is not useful in iWS 4.x. You can disable it by
    using the attached NSAPI SAF. To install the SAF, load the disrend.dll on
    your system and add the following lines to your obj.conf. The PathCheck
    line should be the first PathCheck listed.

    Init fn="load-modules" funcs="disRend" shlib="/disrend.dll"
    PathCheck fn="disRend"

    Attached file:

    Netscape has released the file disrend.dll

    Further information:

    To see the vulnerability release go to iPlanet/7761
    or CERT/191763

    For related topics go to iPlanet/4302

    Legal:

    Copyright 2001 ProCheckUp Ltd. All rights reserved.

    Permission is granted for copying and circulating this bulletin to the
    Internet community for the purpose of alerting them to problems, if and
    only if, the bulletin is not edited or changed in any way, is attributed to
    ProCheckUp, and provided such reproduction and/or distribution is performed
    for non-commercial purposes.

    Any other use of this information is prohibited. ProCheckUp is not liable
    for any misuse of this information by any third party.