Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise andFastTrack Authentication Procedure

[ECKMA009 () SOSSGW STU UMN EDU (Brian Eckman)]

> Buffer Overflow in Netscape Enterprise and FastTrack Authentication
> Procedure

<<<snip>>>

> Affected Versions:

> This vulnerability affects all supported platforms of Enterprise and
> FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack >3.01
> were found to be vulnerable. Earlier versions may be vulnerable but were >not
> tested by ISS X-Force.

> Description:

> The buffer overflow is present in the HTTP Basic Authentication portion of
> the server. When accessing a password protected portion of the
> Administration or Web server, a username or password that is longer than
> 508 characters will cause the server to crash with an access violation
> error. An attacker could utilize the Base64 encoded Authorization string
> to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix.
> Attackers can use these privileges to gain full access to the server.

<<<snip>>>

A similar problem exists in the Enterprise Web Server for NetWare 4.x and 5.x. When a username >310 chars is sent to 
the Admin Server, the Admin server crashes. Authentication to other password protected areas of the Web Server is not 
affected.

SPECIFICS:
With the Enterprise Server for NetWare, the admin port on the server will allow a username of any length when 
authenticating. A username of more than 310 characters will cause the admserv.nlm to crash. The admin port then is not 
accessable again until the server is rebooted. An attempt to manually unload the nlm caused the server to lock up 
completely. An attempt to reload the nlm resulted in a message stated the nlm was already loaded.

The offending process (admserv.nlm) does not appear to stop other services running on the server. The Web server 
continues to function normally, as does the LDAP authentication to other restricted areas. (I only tested restricted 
subdirectories within the web root)

Regular directories within the Web site that require authentication are not vulnerable. Submitting a long username 
and/or password (somewhere over 1000 chars, I believe) will result in a message "Your browser sent a message this 
server could not understand." 

I tested on a 4.11 box with SP7.

Not sure if priviledges can be gained...

FIX:
The Admin server can be turned off when not in use, or block that port with your firewall.

I contacted an engineer at a local Novell office on Dec 2 with no response. Don't see a way on their site to report 
bugs :(

Brian