Netscape Enterprise Server Allows Remote Command Execution

Reported May 16, 2001, by eEye Digital Security.

VERSION AFFECTED

·         Netscape Enterprise Server 4.1 for Windows NT

 

DESCRIPTION
A vulnerability exists in the Netscape Enterprise Server 4.1 for Windows NT Web Publisher feature that gives an attacker system-level shell access on the server. By sending a large buffer containing executable code and a new instruction pointer, an attacker can gain remote system-level shell access to the vulnerable server. The overflow exists in how Web Publisher handles the Uniform Resource Identifier (URI). By specifying GETPROPERTIES, GETATTRIBUTENAMES, or any other publisher-specific method, an attacker can pass data into the vulnerable section of the server. See eEye’s Web site for more details.

 

DEMONSTRATION

eEye provided the following proof-of-concept scenario:

 

C:\>telnet www.example.com 80
Connecting To www.example.com... connected.
GETPROPERTIES /(buffer) HTTP/1.1
Host: Hostname
(enter)
(enter)

Where (buffer) is 2000 characters.

 

VENDOR RESPONSE

The vendor, iPlanet, acknowledges this vulnerability and has released an NSAPI patch to correct this vulnerability. It's further recommended that users apply Service Pack 8 (SP8) when iPlanet makes SP8 available.

 

CREDIT
Discovered by Riley Hassell.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish