Bugtraq mailing list archives

Re: Netscape FastTrack httpd remote exploit

From: vision () WHITEHATS COM (Max Vision)
Date: Fri, 31 Dec 1999 11:51:44 -0800


Hi,

This attack can now be detected by the following IDS signatures:

http://dev.whitehats.com/cgi/test/new.pl/Show?_id=web-netscape-overflow-unixware
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=outgoing_xterm
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=nops-x86

These signatures are also available as part of
http://dev.whitehats.com/ids/vision.conf

Note that each record includes packet traces from usage of an actual
exploit attempt.

Max Vision
http://whitehats.com/   <- free tools, forums, IDS database
http://maxvision.net/

On Fri, 31 Dec 1999, Brock Tellier wrote:

OVERVIEW
A vulnerability in Netscape FastTrack 2.01a will allow any remote user to
execute commands as the user running the httpd daemon (probably nobody).  This
service is running by default on a standard UnixWare 7.1 installation.

/** uwhelp.c - remote exploit for UnixWare's Netscape FastTrack
 **            2.01a scohelp http service
 **

Current thread:

Netscape FastTrack httpd remote exploit Brock Tellier (Dec 31)
- Re: Netscape FastTrack httpd remote exploit Max Vision (Dec 31)