Sun ONE (iPlanet) Application Server Connector Module Overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                       @stake, Inc.
                     www.atstake.com

                    Security Advisory

Advisory Name: Sun ONE (iPlanet) Application Server Connector Module
Overflow
Release Date: 03/13/2003
Application: SunONE (iPlanet) Application Server 6.x
Platform: Microsoft Windows (NT 4.0/2000)
Severity: Remote arbitrary code execution
Author: Kevin Dunn ([email protected])
Chris Eng ([email protected])
Vendor Status: Vendor has patch for 6.5, no fix for 6.0
CVE Canditate: CAN-2002-0387
Reference: www.atstake.com/research/advisories/2003/a031303-1.txt

Summary:

    A stack buffer overflow exists in the Connector Module that

ships with the Sun ONE Application Server. The module is an NSAPI
plugin that integrates the Sun ONE Web Server (formerly iPlanet
Enterprise Server) with the Application Server. Incoming HTTP request
URLs are handled by the module and an unbounded string operation
causes the overflow.

    This is a classic stack buffer overflow and a remote attacker

can gain control of the running web server.

Detailed Description:

    The gxnsapi6.dll module that ships with the Sun ONE

application server uses a static buffer in the handling of the
incoming request URI.

    An overly long request URI in the form of

/[AppServerPrefix]/[long buffer] will cause the overflow. The
condition is exploitable as the saved EIP register is overwritten.

Vendor Response:

   The vendor was initially contacted via email on 5/22/2002.

   Vendor has a patch available for Sun One Application

Server 6.5. Download SP1 at:

http://wwws.sun.com/software/download/products/3e3afb89.html

   Vendor has no patch available for version 6.0. Queries

to the vendor as to the best solution for 6.0 customers
were not answered.

Recommendation:

    If you are using version 6.5 you should and you are

able to patch your server you should apply SP1.

    We offer the following recommendations for those using

version 6.0 or are unable to apply SP1 to 6.5.

    There are a number of things that can be done to partially or

wholly mitigate the risk posed by this vulnerability. The following
are some examples. The reader is encouraged to understand their
environment and business needs and base their solution around those.

    * Use or write an NSAPI module similar to the sample provided

to inspect the length of HTTP request URIs. The module could be run
as the very first NameTrans directive in the default object so that
it will apply to all incoming requests. The sample allows a maximum
length for the URI to be specified in the obj.conf file, will log an
error if it is exceeded, and will send a "440 Possible Attack
Detected" response to the client.

    * Terminate the SSL session on a device before the Sun ONE

web server and install an IDS sensor to monitor the clear-text
traffic. Write a filter to detect abnormally long HTTP request URIs.

    * Terminate the SSL session on a reverse-proxy that performs

data validation on all HTTP request headers. If a specified length
is exceeded or a pattern matches, log, alert, and send a warning down
to the client.

    =============================
    NSAPI Data Validation Module:
    =============================

    Usage:

    In [server-root]/[server-instance]/config/obj.conf:

    ...
    Init fn="load-modules" shlib="[path to libs]/long.so"
    funcs="bounds_check"

    <Object name=default>
    # Make sure this function is the first to be called
    NameTrans fn=bounds_check maxlength=500

    ...


     ----- BEGIN -----
     #include "nsapi.h"

     static int max_req_len = 0;

     NSAPI_PUBLIC int bounds_check(pblock *pb, Session *sn,
       Request *rq) {
       char *temp;
       max_req_len = atoi(pblock_findval("maxlength", pb));
       temp = pblock_findval("uri", rq->reqpb);

       if (temp != NULL) {
         if (strlen(temp) > max_req_len) {
           log_error(LOG_SECURITY, "bounds_check", sn, rq,
                     "Overly long URI header (%d bytes)...
                    aborting.",
                     strlen(temp));
           protocol_status(sn, rq, 440, "Potential Attack
                           Detected");
           return REQ_ABORTED;
         }
       }
         return REQ_NOACTION;
     }
     ----- END -----

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2002-0387

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to [email protected].

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPnCz4Ue9kNIfAm4yEQJkOACfXdDVFUFCGSrJqw3FGOrDXYkPQLkAoKEC
rPaKbHt36eSVdU/4HP8XIPQf
=WbKy
-----END PGP SIGNATURE-----