COMMAND

	Inktomi Traffic Server traffic_manager local overflow

SYSTEMS AFFECTED

	 Media-IXT 3.0.4

	 Traffic Server / Media-IXT 4.0.18

	 Traffic Server / Media-IXT 4.0.20

	 Traffic Server / Media-IXT 5.1.3

	 Traffic Server / Media-IXT 5.2.0-R

	 Traffic Server / Media-IXT 5.2.1

	 Traffic Server / Media-IXT 5.2.2

	 Traffic Edge 1.1.2 (Traffic Server 5.2.1)

	 Traffic Edge 1.5.0 (Traffic Server 5.5)

	

	

PROBLEM

	In Ivan  Arce  of  CORE  SECURITY  TECHNOLOGIES  [http://www.corest.com]
	advisory [CORE-20020620] :
	

	--snipp--
	

	The overflow occurs when a string longer than 1700 bytes  is  passed  as
	argument to the -path option.  The  exploitability  has  been  confirmed
	under Solaris platform.
	

	/inktomi/5.1.3/bin#   ./traffic_manager   -path   `perl    -e    \'print
	\"A\"x1720\'` <
	

	--snapp--
	

	traffic_manager is setuid. stack gets overflowed.

SOLUTION

	 Workaround

	 ==========

	

	Remove  the  setuid  bit  from  the  traffic_manager  executable.   When
	traffic_manager is not setuid root,  the  proxy  will  not  be  able  to
	directly serve \'privileged\' port numbers less than 1024 :  some  proxy
	configurations will require ARM config/ipnat.conf
	

	See Inktomi\'s note on the bug at
	

	http://support.inktomi.com/kb/070202-003.html

	

	with specific  instructions  on  how  to  reconfigure  the  products  to
	operate properly without the SUID flag set on the binary.