-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Netscape Enterprise and FastTrack Web Servers Buffer Overflow September 1, 1999 17:00 GMT Number J-062 ______________________________________________________________________________ PROBLEM: Internet Security Systems (ISS) X-Force has discovered a vulnerability in the Netscape Enterprise Server and Netscape FastTrack Server. PLATFORM: All platforms using: Netscape Enterprise 3.6sp2 Netscape FastTrack 3.01 DAMAGE: An attacker could cause a denial of service, that could result in a root compromise. SOLUTION: Apply fixes listed below. ______________________________________________________________________________ VULNERABILITY Risk is high since an attacker could take over the server ASSESSMENT: as SYSTEM, giving them full control of the machine. ______________________________________________________________________________ [ Start ISS Advisory ] ISS Security Advisory August 25, 1999 Buffer Overflow in Netscape Enterprise and FastTrack Web Servers Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in the Netscape Enterprise Server and Netscape FastTrack Server. Netscape produces web servers and web browsers for individuals, small workgroups, and business professionals. An attacker can send the web server an overly long HTTP GET request, overflowing a buffer in the Netscape httpd service and overwriting the process's stack. This allows a sophisticated attacker to force the machine to execute any program code that is sent. The ISS X-Force has demonstrated that it is possible to use this vulnerability to execute arbitrary code as SYSTEM on the server, giving an attacker full control of the machine. Affected Versions: This vulnerability was tested on Enterprise 3.6sp2 and FastTrack 3.01. Fix Information: Apply the Enterprise 3.6 SP 2 SSL Handshake fix, available from Netscape at: http://www.iplanet.com/downloads/patches/detail_12_86.html. Additional Information: To download the FlexCheck for this vulnerability for Internet Scanner 6.0, go to the following URL: http://download.iss.net/eval/ISNetscapeGetOverflowFlexCheck.exe Additional Information: Information in this advisory was obtained by the research of Caleb Sima of the ISS X-Force. ISS X-Force would like to thank Netscape Communications Corporation for their response and handling of this vulnerability. ________ About ISS: ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. [ End ISS Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge Internet Security Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-052: SGI arrayd default security configuration J-053: HP Current Directory Vulnerability J-054: Unauthorized Access to IIS Servers through ODBC Data Access with RDS J-055: IBM AIX Vulnerability in ptrace() system call J-056: Microsoft "Encapsulated SMTP Address" Vulnerability J-057: Windows NT(r) Terminal Servers DOS Vulnerability J-058: Microsoft "Malformed HTTP Request Header" Vulnerability J-059: IBM AIX (pdnsd) Buffer Overflow Vulnerability J-060: Microsoft Office 'ODBC' Vulnerabilities J-061: Lotus Notes Domino Server Denial of Service Attacks -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBN86V/LnzJzdsy3QZAQHPCgP/Qmbyw9jDI1KOGwPhlgHm3xHH6yWmnvPV 6He96MvwOMWFomLUXk46SdOCSYiac9aBHWu22HhCBiCpRakrI8zPcwyEGAQkrufx WBWi6sZKUrD90id9TlXL+cwBC8bPWu7bCNbsM50lPcIZHssLBtkhTRT6rN5Wpex2 J2ULNd+bCeA= =WL0j -----END PGP SIGNATURE-----