[13178] in bugtraq
Re: Netscape FastTrack httpd remote exploit
daemon@ATHENA.MIT.EDU (Max Vision)
Fri Dec 31 20:52:12 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.9912311130520.16621-100000@www.whitehats.com>
Date: Fri, 31 Dec 1999 11:51:44 -0800
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991231112549.3919.qmail@nwcst322.netaddress.usa.net>
Hi,
This attack can now be detected by the following IDS signatures:
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=web-netscape-overflow-unixware
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=outgoing_xterm
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=nops-x86
These signatures are also available as part of
http://dev.whitehats.com/ids/vision.conf
Note that each record includes packet traces from usage of an actual
exploit attempt.
Max Vision
http://whitehats.com/ <- free tools, forums, IDS database
http://maxvision.net/
On Fri, 31 Dec 1999, Brock Tellier wrote:
> OVERVIEW
> A vulnerability in Netscape FastTrack 2.01a will allow any remote user to
> execute commands as the user running the httpd daemon (probably nobody). This
> service is running by default on a standard UnixWare 7.1 installation.
>
> /** uwhelp.c - remote exploit for UnixWare's Netscape FastTrack
> ** 2.01a scohelp http service
> **
