mailing list archives
Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise andFastTrack Authentication Procedure
From: ECKMA009 () SOSSGW STU UMN EDU (Brian Eckman)
Date: Wed, 8 Dec 1999 13:59:16 -0600
Buffer Overflow in Netscape Enterprise and FastTrack Authentication
This vulnerability affects all supported platforms of Enterprise and
FastTrack web servers. Enterprise 3.5.1 through 3.6sp2 and FastTrack >3.01
were found to be vulnerable. Earlier versions may be vulnerable but were >not
tested by ISS X-Force.
The buffer overflow is present in the HTTP Basic Authentication portion of
the server. When accessing a password protected portion of the
Administration or Web server, a username or password that is longer than
508 characters will cause the server to crash with an access violation
error. An attacker could utilize the Base64 encoded Authorization string
to execute arbitrary code as SYSTEM on Windows NT, or as root on Unix.
Attackers can use these privileges to gain full access to the server.
A similar problem exists in the Enterprise Web Server for NetWare 4.x and 5.x. When a username >310 chars is sent to
the Admin Server, the Admin server crashes. Authentication to other password protected areas of the Web Server is not
With the Enterprise Server for NetWare, the admin port on the server will allow a username of any length when
authenticating. A username of more than 310 characters will cause the admserv.nlm to crash. The admin port then is not
accessable again until the server is rebooted. An attempt to manually unload the nlm caused the server to lock up
completely. An attempt to reload the nlm resulted in a message stated the nlm was already loaded.
The offending process (admserv.nlm) does not appear to stop other services running on the server. The Web server
continues to function normally, as does the LDAP authentication to other restricted areas. (I only tested restricted
subdirectories within the web root)
Regular directories within the Web site that require authentication are not vulnerable. Submitting a long username
and/or password (somewhere over 1000 chars, I believe) will result in a message "Your browser sent a message this
server could not understand."
I tested on a 4.11 box with SP7.
Not sure if priviledges can be gained...
The Admin server can be turned off when not in use, or block that port with your firewall.
I contacted an engineer at a local Novell office on Dec 2 with no response. Don't see a way on their site to report
- Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise andFastTrack Authentication Procedure Brian Eckman (Dec 08)