TGAD DoS

[JDaniele () KPMG CA (John Daniele)]

TGAD DoS

VirtualVault Overview

The VirtualVault operating system is HP's solution to secure
electronic commerce. It is a B1 and B2 DoD compliant system
that is becoming increasingly popular with big business, banks, etc.,
The main security mechanism in which VVOS is based upon is data partitioning.
Data on the system is classified into one of four security classes, or 'vaults'
--
INSIDE, OUTSIDE, SYSTEM and SYSTEM HIGH. The INSIDE vault houses the server's
backend applications and databases. The OUTSIDE vault generally
contains the internet front end and any necessary CGI binaries, etc.
SYSTEM and SYSTEM HIGH are responsible for maintaining the external
webpages and audit logs respectively. These vaults are totally segregated
from each other and work essentially as separate machines. If a
program requires access to either of the vaults it must be authenticated
by HP's Trusted Gateway Proxy daemon. The TGP daemon filters all requests
from the internet and forwards them to middleware server packages that
safely reside behind the INSIDE vault.

TGA Bug

While the TGP daemon does a good job of ensuring the integrity of the
request prior to forwarding data to its destination, the trusted
gateway agent that is responsible for wrapping CGI requests does not
check the length of the request prior to sending it to TGP. This poses
a problem since TGA does not correctly handle request messages that
are more than 512 bytes in length. The result is a trivial DoS attack on
TGA and all services being wrapped by TGA. The bug was discovered during a
penetration test on a client system running VVOS 3.01. A post was made to
a CGI application residing on the system with a large string of characters.
This was then sent to the trusted gateway agent, causing the daemon
to crash, leaving the Netscape Enterprise Server unable to service further
HTTP/SSL requests. The NES logs show the following:

[07/May/1999:16:16:22] security: for host xxx.xxx.xxx.xxx trying to
GET /cgi-bin/somecgi.cgi?AAAAAAAAAAAAAAA..., vvtga_log reports: ERROR:
setup_connection():
Failed to transfer execution message to TGA daemon

And when NES is started back up:

[07/May/1999:16:28:18] info:  successful server startup
[07/May/1999:16:28:18] info: Netscape-Enterprise/3.5.1G B98.169.2301
[07/May/1999:16:33:18] failure: Error accepting connection -5993 (Resource
temporarily unavailable)

FIX

Chris Hudel of HP was notified of this bug on Wednesday May 12, 1999. He stated
that HP was aware of the problem and addressed it in patch PHSS 10747. However,
I am not
aware of HP releasing an official 'bug report' on this issue.
Since I have encountered several VVOS systems this past week that have not
been patched, and sysadmins unaware of this bug and patch, I decided to post
the
details publicly. NOTE: I have not tested this bug against PHSS 10747 and would
appreciate input from those who have at foo () faber to.

                                                - John Daniele
                                                  jdaniele () kpmg ca
                          VOX: (416) 777-3759