COMMAND

	Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

SYSTEMS AFFECTED

	 Release Date: August 8, 2002

	

	 Severity:

	 High (Remote SYSTEM/ROOT)

	

	 Systems Affected:

	 iPlanet 6.0 and prior

PROBLEM

	 Description:

	 A vulnerability in transfer chunking can be exploited to remotely execute

	 code of an attacker's choice on a vulnerable machine. By sending a carefully

	 crafted session, an attacker can overwrite a section of the heap. Various

	 data structures in the overwritten heap can be manipulated to move attacker

	 supplied data to attacker supplied memory addresses, thereby altering the

	 flow of execution into an attacker supplied payload.

	

	 Note this variant is not the integer overflow affecting IIS and Apache that

	 was discovered during regression testing with Microsoft. This is another

	 variant relating to incorrect size calculation.

	

	 The following example will show the vulnerable condition:

	

	**************Begin Session****************

	POST /EEYE.html HTTP/1.1

	Host: www.EEYE2002.com

	Transfer-Encoding: chunked

	Content-Length: 22

	

	4

	EEYE

	7FFFFFFF

	[DATA]

	**************End Session******************

	

	 [DATA] will overwrite heap memory. Increase or decrease depending on

	 implementation.

	

	 Technical Description:

	 The example session above overwrites a section of the heap that contains

	 data structures related to the Memory management system. By manipulating the

	 content of these structures, we can overwrite an arbitrary 4 bytes of memory

	 with an attacker supplied address. 

	

	 It is widely assumed that the risk for these type of vulnerabilities is

	 fairly low due to the fact that addressing is dynamic and that you must use

	 brute force in your attack; however, this is false assumption and

	 exploitation can be successful with one attempt, across dll versions. An

	 attacker can overwrite static global variables, stored function pointers,

	 process management structures, memory management structures, or any number

	 of data types that will allow him to gain control of the target application

	 in one session.

SOLUTION

	 Vendor Status:

	 Sun has released a security bulletin and patch:

	

	http://www.sun.com/service/support/software/iplanet/alerts/transferencodinga

	lert-23july2002.html

	

	 Credit: Riley Hassell

	

	 Greetings:

	 Eli, Kasia, Halvar, FX, and the three amigos K2, Dark Spyrit, and Joey.

	

	 Copyright (c) 1998-2002 eEye Digital Security

	 Permission is hereby granted for the redistribution of this alert

	 electronically. It is not to be edited in any way without express consent of

	 eEye. If you wish to reprint the whole or any part of this alert in any

	 other medium excluding electronic medium, please e-mail alert@eEye.com for

	 permission.

	

	 Disclaimer

	 The information within this paper may change without notice. Use of this

	 information constitutes acceptance for use in an AS IS condition. There are

	 NO warranties with regard to this information. In no event shall the author

	 be liable for any damages whatsoever arising out of or in connection with

	 the use or spread of this information. Any use of this information is at the

	 user's own risk.

	

	 Feedback

	 Please send suggestions, updates, and comments to:

	

	 eEye Digital Security

	 http://www.eEye.com

	 info@eEye.com