Home Blog Papers Advisories Alerts Tools Services About eEye.com
eEye Digital Security
Blog PostsBlog Posts
Jan 23
eyebrow-raising coverage for packers Dec 20
...Staying Busy...
Published AdvisoriesPublished Advisories
Severity: HIGHNov 20
BitDefender Online Scanner 8 Double Decode Heap Overflow
Severity: HIGHNov 15
Multiple Vulnerabilities In .FLAC File Format and Various Media Applications

Severity: HIGHOct 11
CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference


Upcoming AdvisoriesUpcoming Advisories
Severity: HIGHNov 15
Linksys

Severity: HIGHOct 3
CA BrightStor Arcserve Backup Server Service Disruption

eEye Research Logo Sign Up for Vulnerability Assessment News
Advisories | Published Advisories | AD20020808a

Sun™ ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

Release Date:
August 8, 2002

Severity:
High (Remote SYSTEM/ROOT)

Vendor:
Sun Microsystems

Systems Affected:
iPlanet 6.0 and Prior

Overview:
A vulnerability in transfer chunking can be exploited to remotely execute code of an attacker's choice on a vulnerable machine. By sending a carefully crafted session, an attacker can overwrite a section of the heap. Various data structures in the overwritten heap can be manipulated to move attacker supplied data to attacker supplied memory addresses, thereby altering the flow of execution into an attacker supplied payload.

Note this variant is not the integer overflow affecting IIS and Apache that was discovered during regression testing with Microsoft. This is another variant relating to incorrect size calculation.

The following example will show the vulnerable condition:

**************Begin Session****************
POST /EEYE.html HTTP/1.1
Host: www.EEYE2002.com
Transfer-Encoding: chunked
Content-Length: 22

4
EEYE
7FFFFFFF
[DATA]
**************End Session******************

[DATA] will overwrite heap memory. Increase or decrease depending on implementation.

Technical Details:
Technical Description:
The example session above overwrites a section of the heap that contains data structures related to the Memory management system. By manipulating the content of these structures, we can overwrite an arbitrary 4 bytes of memory with an attacker supplied address.

It is widely assumed that the risk for these type of vulnerabilities is fairly low due to the fact that addressing is dynamic and that you must use brute force in your attack; however, this is false assumption and exploitation can be successful with one attempt, across dll versions. An attacker can overwrite static global variables, stored function pointers, process management structures, memory management structures, or any number of data types that will allow him to gain control of the target application in one session.

Vendor Status:
Sun has released a security bulletin and patch:
http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html

Credit:
Riley Hassell

Greetings:
Eli, Kasia, Halvar, FX, and the three amigos K2, Dark Spyrit, and Joey.

Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
 Privacy l Legal
Copyright © 1998-2008 eEye Digital Security