Netscape Enterprise Server for NetWare Virtual Directory Vulnerability Advisory Code: VIGILANTE-2000001 Release Date: June 26, 2000 Systems Affected: NetWare 5.1 prior to support pack 1 NetWare 5.0 - all support packs Possibly older versions of NetWare as well (not tested) THE PROBLEM By issuing a malformed URL it is possible to cause a denial of service situation and/or execute arbitrary code on the server with the privileges of the web server. Here is a snippet from the log file to illustrate. Server XXXXXXXX halted XXXXX, XX March 2000 13.13.00 Abend 8 on P00: Server-5.00d: Page Fault Processor Exception (Error code 00000000) Registers: CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010 EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = D6C175C0 ESI = 61616161 EDI = 61616161 EBP = 61616161 ESP = D48F2F94 EIP = 61616161 FLAGS = 00010286 Address (61616161) exceeds valid memory limit EIP in UNKNOWN memory area Access Location: 0x61616161 Running process: NS Web Thread 7 Process Created by: NetWare Application Thread Owned by NLM: NSHTTPD.NLM Stack pointer: D48F31B4 OS Stack limit: D48E3480 Scheduling priority: 67371008 Wait state: 5050090 (Wait for interrupt) Stack: --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? --61616161 ? The immediate effect of the problem if abused as denial of service is that all "executables" cease to respond, that is, /cgi-bin/, /lcgi/, /netbasic/, /perl/ etc., but as you can see, the EIP has been overwritten as well as the entire stack. Vendor Status: Informed around the beginning of April this year Fix: Novell has released a patch included in NetWare 5.1 Support Pack 1. Export(56 bit) URL: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956734 Domestic(128 bit) URL: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2956733 Vendor URL: http://www.novell.com Program URL: http://www.novell.com/products/netscape_servers/ Copyright VIGILANTe 2000-06-26 Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback: Please send suggestions, updates, and comments to: VIGILANTe mailto: info@vigilante.com http://www.vigilante.com