Reported May 16, 2001, by eEye Digital Security.
· Netscape Enterprise Server 4.1 for Windows NT
A vulnerability exists in the Netscape Enterprise Server 4.1 for Windows NT Web Publisher feature that gives an attacker system-level shell access on the server. By sending a large buffer containing executable code and a new instruction pointer, an attacker can gain remote system-level shell access to the vulnerable server. The overflow exists in how Web Publisher handles the Uniform Resource Identifier (URI). By specifying GETPROPERTIES, GETATTRIBUTENAMES, or any other publisher-specific method, an attacker can pass data into the vulnerable section of the server. See eEye’s Web site for more details.
eEye provided the following proof-of-concept scenario:
Connecting To www.example.com... connected.
GETPROPERTIES /(buffer) HTTP/1.1
Where (buffer) is 2000 characters.
The vendor, iPlanet, acknowledges this vulnerability and has released an NSAPI patch to correct this vulnerability. It's further recommended that users apply Service Pack 8 (SP8) when iPlanet makes SP8 available.
Discovered by Riley Hassell.