Netscape Vulnerabilities

CVE 1999-0744
CVE 1999-0751
CVE 1999-0853

Impact

Two buffer overflow conditions in Netscape Enterprise and Netscape FastTrack web servers could allow a remote attacker to execute commands on the server with SYSTEM privileges in Windows NT or nobody or root privileges in Unix.

A third vulnerability in the Web Publishing tags in Netscape Enterprise server could allow listing of directories on the server even if index.html files are in place.

Note: The red stoplight on this page indicates the highest possible severity level for this vulnerability. Check the bullet next to the link to this tutorial on the previous page to determine the actual severity level. If the bullet is red, then the vulnerability could be exploited by an attacker. If the bullet is brown, then SAINT was unable to determine whether or not the server was vulnerable.

The Problems


GET buffer overflow

CVE 1999-0744

The first vulnerability is a buffer overflow condition in the procedure which handles the GET method. GET is the method used by a web browser to request a page from the server. By sending a very long GET request to the server, an attacker could cause a buffer to overflow, thus overwriting the stack. A specially crafted request could be used to execute arbitrary code on the server.

All versions of Netscape FastTrack Server, and Enterprise Server prior to 3.6 with service pack 3, are vulnerable.


HTTP Basic Authentication buffer overflow

CVE 1999-0853

The second vulnerability is in the HTTP Basic Authentication procedure. It affects servers which contain any pages that are password protected. An attacker could go to a password protected page and cause a buffer overflow by entering a very long username or password. A specially crafted string could be used to execute arbitrary code on the server.

Any Netscape Enterprise or FastTrack server containing password protected pages is vulnerable. Although Service Pack 3 for Enterprise Server 3.6 fixes the vulnerability in Enterprise Server, the Administration Server is still vulnerable.


Vulnerability in Web Publishing tags

If Directory Indexing is enabled on a Netscape Enterprise server, then Web Publishing tags can be used by a remote user to view directory listings on the server, even if there is an index.html file in the directory.

Resolutions

The buffer overflow problems can be fixed by upgrading the web server to the latest version of iPlanet Web Server, which replaces both the Enterprise and FastTrack lines of web servers.

CVE 1999-0751
Note: Although the GET buffer overflow could be fixed by a patch which was released for Enterprise Server 3.6 service pack 2, the patch itself introduced another buffer overflow condition, and is not a recommended solution.

The workaround for the vulnerability in the Web Publishing tags is to disable Directory Indexing. To disable Directory Indexing, look in the obj.conf file for the following lines:

Service method="(GET|HEAD)"
type="magnus-internal/directory"
fn="index-common"
Change the third line to:
fn="send-error"

Where can I read more about this?

X-Force advisory 37 discusses the buffer overflow in processing GET. The vulnerability that was introduced by the original patch was discussed in Bugtraq.

X-Force advisory 39 discusses the vulnerability in the HTTP Basic Authentication procedure.

See the Bugtraq postings for more information on the Web Publishing tags vulnerability and the solution.