Vulnerability

    iPlanet/ Netscape Enterprise Web Publisher

Affected

    Netscape Enterprise 4.1 and prior versions.

Description

    Riley Hassell  from  eEye  found  following.   The  Web  Publisher
    feature  in  Netscape  Enterprise  4.1  is  vulnerable to a buffer
    overflow.  By  sending a large  buffer containing executable  code
    and a new Instruction Pointer, an attacker is able to gain  remote
    system shell access to the vulnerable server.

    The  overflow  itself  exists  in  Publishers  handling of the URI
    (Uniform  Resource  Identifier).   By  specifying   GETPROPERTIES,
    GETATTRIBUTENAMES,  or  any  other  one  of the publisher specific
    methods, we can  pass data into  vulnerable section of  the server
    and exploit the vulnerability.

    Example:

        C:\>telnet www.example.com 80
        Connecting To www.example.com... connected.
        GETPROPERTIES /(buffer) HTTP/1.1
        Host: Hostname
        (enter)
        (enter)

    Where (buffer) is 2000 characters.

    There is no a proof of concept exploit, however expect one soon.

Solution

    Quote from iPlanet's development  team: "The security &  stability
    of  iPlanet's  customer's  environments  is  one  of our paramount
    concerns.  To ensure the stability of our customer's  environments
    iPlanet has made available an  NSAPI patch that can be  applied to
    iPlanet Web Server, Enterprise Edition."

    The NSAPI patch is available at:

        http://iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html

    This issue will  also be addressed  by the release  of iPlanet Web
    Server, Enterprise Edition version 4.1 Service Pack 8.