[VulnWatch] Sun ONE (iPlanet) Application Server Connector Module Overflow

From: @stake Advisories (@stake)
Date: 03/13/03

  • Next message: @stake Advisories: "[VulnWatch] Nokia SGSN (DX200 Based Network Element) SNMP issue"
    Date: Thu, 13 Mar 2003 11:40:39 -0500
    From: "@stake Advisories" <advisories@atstake.com>
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                               @stake, Inc.
                             www.atstake.com

                            Security Advisory

    Advisory Name: Sun ONE (iPlanet) Application Server Connector Module
                   Overflow
     Release Date: 03/13/2003
      Application: SunONE (iPlanet) Application Server 6.x
         Platform: Microsoft Windows (NT 4.0/2000)
         Severity: Remote arbitrary code execution
           Author: Kevin Dunn (kdunn@atstake.com)
                   Chris Eng (ceng@atstake.com)
    Vendor Status: Vendor has patch for 6.5, no fix for 6.0
    CVE Canditate: CAN-2002-0387
        Reference: www.atstake.com/research/advisories/2003/a031303-1.txt

    Summary:

            A stack buffer overflow exists in the Connector Module that
    ships with the Sun ONE Application Server. The module is an NSAPI
    plugin that integrates the Sun ONE Web Server (formerly iPlanet
    Enterprise Server) with the Application Server. Incoming HTTP request
    URLs are handled by the module and an unbounded string operation
    causes the overflow.

            This is a classic stack buffer overflow and a remote attacker
    can gain control of the running web server.

    Detailed Description:

            The gxnsapi6.dll module that ships with the Sun ONE
    application server uses a static buffer in the handling of the
    incoming request URI.

            An overly long request URI in the form of
    /[AppServerPrefix]/[long buffer] will cause the overflow. The
    condition is exploitable as the saved EIP register is overwritten.

    Vendor Response:

           The vendor was initially contacted via email on 5/22/2002.

           Vendor has a patch available for Sun One Application
    Server 6.5. Download SP1 at:

    http://wwws.sun.com/software/download/products/3e3afb89.html

           Vendor has no patch available for version 6.0. Queries
    to the vendor as to the best solution for 6.0 customers
    were not answered.

    Recommendation:

            If you are using version 6.5 you should and you are
    able to patch your server you should apply SP1.

            We offer the following recommendations for those using
    version 6.0 or are unable to apply SP1 to 6.5.

            There are a number of things that can be done to partially or
    wholly mitigate the risk posed by this vulnerability. The following
    are some examples. The reader is encouraged to understand their
    environment and business needs and base their solution around those.

            * Use or write an NSAPI module similar to the sample provided
    to inspect the length of HTTP request URIs. The module could be run
    as the very first NameTrans directive in the default object so that
    it will apply to all incoming requests. The sample allows a maximum
    length for the URI to be specified in the obj.conf file, will log an
    error if it is exceeded, and will send a "440 Possible Attack
    Detected" response to the client.

            * Terminate the SSL session on a device before the Sun ONE
    web server and install an IDS sensor to monitor the clear-text
    traffic. Write a filter to detect abnormally long HTTP request URIs.

            * Terminate the SSL session on a reverse-proxy that performs
    data validation on all HTTP request headers. If a specified length
    is exceeded or a pattern matches, log, alert, and send a warning down
    to the client.

            =============================
            NSAPI Data Validation Module:
            =============================

            Usage:

            In [server-root]/[server-instance]/config/obj.conf:

            ...
            Init fn="load-modules" shlib="[path to libs]/long.so"
            funcs="bounds_check"

            <Object name=default>
            # Make sure this function is the first to be called
            NameTrans fn=bounds_check maxlength=500

            ...

             ----- BEGIN -----
             #include "nsapi.h"

             static int max_req_len = 0;

             NSAPI_PUBLIC int bounds_check(pblock *pb, Session *sn,
               Request *rq) {
               char *temp;
               max_req_len = atoi(pblock_findval("maxlength", pb));
               temp = pblock_findval("uri", rq->reqpb);

               if (temp != NULL) {
                 if (strlen(temp) > max_req_len) {
                   log_error(LOG_SECURITY, "bounds_check", sn, rq,
                             "Overly long URI header (%d bytes)...
                            aborting.",
                             strlen(temp));
                   protocol_status(sn, rq, 440, "Potential Attack
                                   Detected");
                   return REQ_ABORTED;
                 }
               }
                 return REQ_NOACTION;
             }
             ----- END -----

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2002-0387

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPnCz4Ue9kNIfAm4yEQJkOACfXdDVFUFCGSrJqw3FGOrDXYkPQLkAoKEC
    rPaKbHt36eSVdU/4HP8XIPQf
    =WbKy
    -----END PGP SIGNATURE-----


  • Next message: @stake Advisories: "[VulnWatch] Nokia SGSN (DX200 Based Network Element) SNMP issue"

    Relevant Pages

    • [NT] Sun ONE (iPlanet) Application Server Connector Module Overflow
      ... Sun ONE Application Server. ... Incoming HTTP request URLs are handled by the module ... The vendor was initially contacted via email on 5/22/2002. ...
      (Securiteam)
    • Re: Delayed email from outside vendor or not arriving at all
      ... I understand that one vendor send email to ... your client will get Delivery Status Notification. ... I suggest we track the not receive email in your client SBS 2003. ... How to Enable Message Tracking Center on a Server ...
      (microsoft.public.windows.server.sbs)
    • [UNIX] Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, TOG-CUP, XI
      ... Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, ... Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index ... Local exploitation of an invalid array index vulnerability in the X.Org X ...
      (Securiteam)
    • Re: DHCP Vendor Classes
      ... i've been testing with Dell laptops too. ... Both Cisco and Dell are sending Vendor IDs, ... So I setup a vendor class for that ID, added an option 67 (boot filename), configured it, and tried to get it to take it - but the server doesnt hand it out. ...
      (microsoft.public.windows.server.general)
    • Advisory 13/2005: Remote code execution in SysCP
      ... Application: SysCP 1.2.10 and prior ... Vendor Status: Vendor has released an updated version ... hosting and co-location companies and can be used for complete server admin- ... Due to the sensitive nature of the vulnerability, ...
      (Bugtraq)