Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Remote buffer overflow in Darwin server?

From: Jeff Frost <batalion () APOCALYPSE ORG>
Date: Mon, 18 Dec 2000 16:17:39 -0800
A little quick background: At my current company, we focus on streaming
media, and have been running the Darwin Streaming Server 2.0.1-110 for
some time now on one of our Linux machines.  Last night, someone got into
the machine and started running the jolt2 DoS attack against our
webserver.  While the webserver didn't mind the attack, our cisco didn't
appreciate us in the least, and this is what tipped us off to the hack.

After examing all possible entry points into the network and the nature of
the attack, it appears likely that the intruder got in through the darwin
server.  Running nessus against the entire network shows the only likely
vulnerability being a buffer overflow in the darwin server which is
remotely exploitable.  Some emails to the darwin devloper list confirmed
this, as they stated that that version of darwin does in fact have a
buffer overflow vulnerability, though they didn't know of any exploits.

My question is this: have any of you seen or heard of any remote exploits
for the buffer overflow on the linux version of Darwin?

I'm thinking I'd like to pull the plug on quicktime streaming until I get
a better handle on whether the newer versions of Darwin have any similar
vulnerabilities.

Here's the nessus output (note that we need to allow streaming on port 80
for clients behind firewalls :-( ):

Vulnerability found on port www (80/tcp)


    The remote web server seems to crash when it is issued
    a too long argument to the 'Accept:' command :

    Exemple :

    GET / HTTP/1.0
    Accept: <thousands of chars>/gif


    This may allow an attacker to execute arbitrary code on
    the remote system.

    Solution : Contact your vendor for a patch.

    Risk factor : High

Vulnerability found on port www (80/tcp)

    It was possible to perform
    a denial of service against the remote
    HTTP server by sending it a long /cgi-bin relative URL.

    This problem allows a cracker to prevent
    your Lotus Domino web server from handling requests.

    Solution : contact your vendor for a patch, or
    change your server. Consider changing cgi-bin mapping
    by something impossible to guess in server document of
    primary Notes NAB.
Previous By Date Next
Previous By Thread Next

Current thread: