iPlanet Search Buffer Overflow

NGSSoftware Insight Security Research Advisory

Name: iPlanet Search Buffer Overflow

Systems: iWS 6.0 and iWS 4.1

Severity: High Risk (if Search enabled)

Category: Remote Buffer Overrun Vulnerability

Vendor URL: http://www.iplanet.com/

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/sun-iws.txt

Date: 9th July 2002

Advisory number: #NISR09072002A

VNA reference : http://www.nextgenss.com/vna/sun-iws.txt

Description

***********

iPlanet’s Web Server, now owned and maintained by Sun Microsystems, has a

remotely exploitable buffer overrun vulnerability in the search component.

Details

*******

By default, the search capabilities of iPlanet’s Web Server are turned off,

but if search has been enabled then the server is vulnerable to a remotely

exploitable buffer overrun. By supplying an overly long value for the

‘NS-rel-doc-name’ parameter a saved return address is overwritten on the

stack, giving control over the vulnerable process’ execution. Any code

supplied will run in the security context of the account running the web

server. On Windows NT/2000, for example, this account is the local SYSTEM

account, by default, so any code will run uninhibited.

Fix Information

***************

NGSSoftware alerted Sun to this problem on the 25th of April 2002 and were

informed that Sun wanted to address this in the next service pack, despite

NGSSoftware’s recommedation that a hotfix should be released as this is a

remotely exploitable issue. This aside the service pack has been released.

Users of iPlanet Web Server 6 should install Service Pack 3.

Users of iPlanet Web Server 4.1 should install Service Pack 10.

A check for this vulnerability has been added to Typhon II, NGSSoftware’s

vulnerability assessment scanner, of which, more information is available

from the NGSSite, http://www.ngssoftware.com/ .