Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5523.htm

iPlanet search engine allows remote files access and buffer overflow



10th Jul 2002 [SBWID-5523]
COMMAND

	iPlanet search engine allows remote files access and buffer overflow

SYSTEMS AFFECTED

	iWS 6.0 and iWS 4.1 (tested on Windows NT/2000)

PROBLEM

	David  Litchfield   [david@ngssoftware.com]   of   NGSSoftware   Insight
	security      research      reported      the      buffer       overflow
	[http://www.nextgenss.com/vna/sun-iws.txt],         and         turambar
	[turambar386@routergod.com] with the help of Qualys  Corporation  posted
	about the remote files access :
	

	 1. Buffer overflow

	 ==================

	

	By supplying an overly long value for the \'NS-rel-doc-name\'  parameter
	a saved return address is overwritten on the stack, giving control  over
	the vulnerable process\' execution. Any code supplied will  run  in  the
	security context of the account running the web server.
	

	 2. Remote file access

	 =====================

	

	The search engine that is included with iPlanet  and  previous  versions
	uses HTML pattern files to get and format search parameters from  users.
	By using the NS-query-pat command, a user can specify  their  own  query
	pattern file rather than using the  default  one  provided  by  the  web
	site. Unfortunately, the search engine does no validity checking on  the
	query pattern file thus requested. If, for instance, you telnet to  port
	80 on an iWS web server and issue the command:
	

	GET /search?NS-query-pat=..\\..\\..\\..\\..\\boot.ini

	

	iPlanet will happily provide you  with  the  contents  of  the  boot.ini
	file.   This overrides all access control lists.

SOLUTION

	 Workaround

	 ==========

	

	Deactivate the search engine until the patch is applied
	

	- Also -
	

	Here\'s a snort sig for the remote file access bug :
	

	

	alert tcp $EXTERNAL_NET any -> $HOME_NET 80

	(msg:\"WEB-MISC iPlanet Search Engine File Viewing\";

	flags:A+; uricontent:\"NS-query-pat\";

	classtype:web-application-attack; sid:1000999; rev:1;)

	

	

	A check for the buffer  vulnerability  has  been  added  to  Typhon  II,
	NGSSoftware\'s  vulnerability  assessment  scanner,   of   which,   more
	information is available from the NGSSite, http://www.ngssoftware.com/.
	

	

	 Patch

	 =====

	

	Users of iPlanet Web Server 6 should install Service Pack 3.
	

	Users of iPlanet Web Server 4.1 should install Service Pack 10.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH