ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure

[aleph1 () UNDERGROUND ORG (Aleph One)]

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
December 1, 1999

Buffer Overflow in Netscape Enterprise and FastTrack Authentication
Procedure

Synopsis:

Netscape Enterprise Server and Netscape FastTrack Server are widely used
Internet web servers. Internet Security Systems (ISS) X-Force has discovered
a vulnerability in Netscape Enterprise Server and Netscape FastTrack
Server, as well as in the Administration Server supplied with both. There
is a buffer overflow in the HTTP Basic Authentication that can be used to
execute code on the machine as SYSTEM in Windows NT or as root or nobody
in Unix, without requiring authentication. The Administration Service runs
as root in Unix, the Application Server runs as the user 'nobody' by
default.

Affected Versions:

This vulnerability affects all supported platforms of Enterprise and
FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack 3.01
were found to be vulnerable. Earlier versions may be vulnerable but were not
tested by ISS X-Force.

Description:

The buffer overflow is present in the HTTP Basic Authentication portion of
the server. When accessing a password protected portion of the
Administration or Web server, a username or password that is longer than
508 characters will cause the server to crash with an access violation
error. An attacker could utilize the Base64 encoded Authorization string
to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix.
Attackers can use these privileges to gain full access to the server.

Recommendations:

Affected users should upgrade their systems immediately. This vulnerability
affects systems running  Administration Server with password protected areas
that rely on Basic Authentication. If you run any of the affected servers on
any platform, upgrade to iPlanet Web Server 4.0sp2 at:
http://www.iplanet.com/downloads/testdrive/detail_161_243.html. Netscape has
stated that FastTrack will not be patched. Although Netscape released
service pack 3 for Enterprise Server 3.6 that fixes the vulnerability in the
web server, the Administration Server remains vulnerable. If you are unable
to upgrade, ISS X-Force recommends that you block the Administration Server
port at the firewall to prevent outside attacks.

ISS X-Force recommends verifying the existence of this vulnerability through
the upcoming release of Internet Scanner v.6.0.1 which will be available
for customer download from the ISS website.

Credits:

Information in this advisory was obtained by the research of Caleb Sima of
the ISS X-Force. Additional research and information was provided by
Justine Bone and Jon Larimer of the ISS X-Force. ISS X-Force would like
to thank Netscape Communications Corporation  for their response and
handling of this vulnerability.

About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 800-776-2362.

Copyright (c) 1999 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent
of the X-Force.  If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please e-mail
xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce () iss net
of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOEWatzRfJiV99eG9AQEbOQP7BZdxXp6YjH6WEJ6Uq/DxNwQDk4DPTY7M
tNQHbNPLeYGLjd2L5bNJdi457rHF2Kein9odgCfwkeiMAJf1PrepYLSc3YsQEZAW
DTjT6XRGFcasJT068laNhaGNJ+5VIhxXF8h+0Y0sL3NWx1JbrliaqgeidVdG13vw
pZjxFvozV9w=
=2ysL
-----END PGP SIGNATURE-----