[17391] in bugtraq
Re: Buffer overflow in iPlanet Web Server 4 server side SHTML
daemon@ATHENA.MIT.EDU (Fyodor)
Fri Oct 27 16:05:41 2000
Mail-Followup-To: Peter Watkins <peterw@USA.NET>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001027145848.M17831@tigerteam.net>
Date: Fri, 27 Oct 2000 14:58:48 +0700
Reply-To: Fyodor <fyodor@RELAYGROUP.COM>
From: Fyodor <fyodor@RELAYGROUP.COM>
X-To: Peter Watkins <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001026194226.A32552@usa.net>; from peterw@USA.NET on Thu,
Oct 26, 2000 at 07:42:26PM -0400
>
> Please note that (fortunately!) Netscape Enterprise Server 3.6sp3
> (offically end-of-lifed but still widely used) does not seem vulnerable.
>
> > Overflow happens in logging function (when iWS tries to report that file
> > is not found). If exploitation is successful (or iWS segfaults), nothing
> > will remain in the logs.
>
> Note that the watchdog process will restart the Web server, so dumb,
> repetitive attacks will only effect a DoS. Intelligent attacks might be
> much, much worse. :-(
>
Not completely true. During in-lab experiments (while testing and developing
the exploit), I was able to hang up NES server several times, so it doesn't
die, but does not respond to any further requests either, so you have to kill
it with SIGKILL to get watchdog to restart it properly.
-Fyodor
