COMMAND

	Sun ONE (iPlanet) Application Server Connector Module Overflow

SYSTEMS AFFECTED

	SunONE (iPlanet) Application Server 6.x

PROBLEM

	
	                           @stake, Inc.
	                         www.atstake.com
	
	                        Security Advisory
	
	Advisory Name: Sun ONE (iPlanet) Application Server Connector Module
	               Overflow
	 Release Date: 03/13/2003
	  Application: SunONE (iPlanet) Application Server 6.x
	     Platform: Microsoft Windows (NT 4.0/2000)
	     Severity: Remote arbitrary code execution
	       Author: Kevin Dunn (kdunn@atstake.com)
	               Chris Eng (ceng@atstake.com)
	Vendor Status: Vendor has patch for 6.5, no fix for 6.0
	CVE Canditate: CAN-2002-0387
	    Reference: www.atstake.com/research/advisories/2003/a031303-1.txt
	
	
	Summary:
	
	        A stack buffer overflow exists in the Connector Module that
	ships with the Sun ONE  Application  Server.  The  module  is  an  NSAPI
	plugin  that  integrates  the  Sun  ONE  Web  Server  (formerly  iPlanet
	Enterprise Server) with the Application Server.  Incoming  HTTP  request
	URLs are handled by the module and an unbounded string operation  causes
	the overflow.
	
	        This is a classic stack buffer overflow and a remote attacker
	can gain control of the running web server.
	
	
	Detailed Description:
	
	        The gxnsapi6.dll module that ships with the Sun ONE
	application server uses a static buffer in the handling of the  incoming
	request URI.
	
	        An overly long request URI in the form of
	/[AppServerPrefix]/[long buffer] will cause the overflow. The  condition
	is exploitable as the saved EIP register is overwritten.
	
	

SOLUTION

	Vendor Response:
	
	       The vendor was initially contacted via email on 5/22/2002.
	
	       Vendor has a patch available for Sun One Application
	Server 6.5.  Download SP1 at:
	
	http://wwws.sun.com/software/download/products/3e3afb89.html
	
	       Vendor has no patch available for version 6.0. Queries
	to the vendor as to  the  best  solution  for  6.0  customers  were  not
	answered.
	
	
	Recommendation:
	
	        If you are using version 6.5 you should and you are
	able to patch your server you should apply SP1.
	
	        We offer the following recommendations for those using
	version 6.0 or are unable to apply SP1 to 6.5.
	
	        There are a number of things that can be done to partially or
	wholly mitigate the risk posed by this vulnerability.  The following
	are some examples. The reader is encouraged to understand their
	environment and business needs and base their solution around those.
	
	        * Use or write an NSAPI module similar to the sample provided
	to inspect the length of HTTP request URIs.  The module could be run
	as the very first NameTrans directive in the default object so that
	it will apply to all incoming requests.  The sample allows a maximum
	length for the URI to be specified in the obj.conf file, will log an
	error if it is exceeded, and will send a "440 Possible Attack
	Detected" response to the client.
	
	        * Terminate the SSL session on a device before the Sun ONE
	web server and install an IDS sensor to monitor the clear-text
	traffic.  Write a filter to detect abnormally long HTTP request URIs.
	
	        * Terminate the SSL session on a reverse-proxy that performs
	data validation on all HTTP request headers.  If a specified length
	is exceeded or a pattern matches, log, alert, and send a warning down
	to the client.
	
	        =============================
	        NSAPI Data Validation Module:
	        =============================
	
	        Usage:
	
	        In [server-root]/[server-instance]/config/obj.conf:
	
	        ...
	        Init fn="load-modules" shlib="[path to libs]/long.so"
	        funcs="bounds_check"
	
	        <Object name=default>
	        # Make sure this function is the first to be called
	        NameTrans fn=bounds_check maxlength=500
	
	        ...
	
	
	         ----- BEGIN -----
	         #include "nsapi.h"
	
	         static int max_req_len = 0;
	
	         NSAPI_PUBLIC int bounds_check(pblock *pb, Session *sn,
	           Request *rq) {
	           char *temp;
	           max_req_len = atoi(pblock_findval("maxlength", pb));
	           temp = pblock_findval("uri", rq->reqpb);
	
	           if (temp != NULL) {
	             if (strlen(temp) > max_req_len) {
	               log_error(LOG_SECURITY, "bounds_check", sn, rq,
	                         "Overly long URI header (%d bytes)...
	                        aborting.",
	                         strlen(temp));
	               protocol_status(sn, rq, 440, "Potential Attack
	                               Detected");
	               return REQ_ABORTED;
	             }
	           }
	             return REQ_NOACTION;
	         }
	         ----- END -----
	
	
	Common Vulnerabilities and Exposures (CVE) Information:
	
	The Common Vulnerabilities and Exposures (CVE) project has assigned
	the following names to these issues.  These are candidates for
	inclusion in the CVE list (http://cve.mitre.org), which standardizes
	names for security problems.
	
	  CAN-2002-0387
	
	
	@stake Vulnerability Reporting Policy:
	http://www.atstake.com/research/policy/
	
	@stake Advisory Archive:
	http://www.atstake.com/research/advisories/
	
	PGP Key:
	http://www.atstake.com/research/pgp_key.asc
	
	
	@stake is currently seeking application security experts to fill
	several consulting positions.  Applicants should have strong
	application development skills and be able to perform application
	security design reviews, code reviews, and application penetration
	testing.  Please send resumes to jobs@atstake.com.
	
	
	Copyright 2003 @stake, Inc. All rights reserved.