solarisab2.txt

1999-08-17T00:00:00
ID PACKETSTORM:15312
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Sun, 23 Aug 1998 21:02:30 -0700  
From: Marc Slemko <marcs@ZNEP.COM>  
Subject: Solaris ab2 web server is junk  
  
For anyone who didn't figure out in the first two seconds after installing  
Solaris that running Sun's (well, ok, it is some third party server but  
Sun is licensing it) answerbook web server is silly, now you know.  
  
I do not know if any of the below has been fixed by more recent patches  
and haven't looked at it since the start of May when I sent the below to  
Sun.  
  
---------- Forwarded message ----------  
Date: Sat, 2 May 1998 00:42:05 -0600 (MDT)  
From: Marc Slemko <marcs@znep.com>  
To: security-alert@Sun.COM  
Subject: report ab2 web server is junk  
  
Are you aware of what a pile of junk the dwhttpd/3.1a4 web server that is  
installed for the ab2 stuff in 2.6 is?  
  
It is trivial to make it stop processing CGI requests by doing  
a POST with a large content-length; further CGI requests then  
fail with an out of memory or something.  
  
It doesn't handle %-encoding and logs in a funky way, which results  
in URLs with printf-style '%' strings in getting funky log  
entries. For example, accessing http://apollo:8888/foo/%s gives  
a log entry of:  
  
http-8888 [02/May/2000:00:24:12 -0600] warning: send-file reports: The requested8ãÿß$þßGÇßßÇßÓ×Èߪä¾ÈßÊ" could not be opened!  
  
It is interpreting the %s as a printf style format string. This could,  
if you can find the right error message and have the right junk  
memory accessed, possibly compromise information from the address  
space of the server that shouldn't be compromised. Not likely,  
but possible. Note that this mishandling of %-encoded strings also  
rejects valid requests that are % encoded, but the server doesn't  
even start to be HTTP compliant so that probably doesn't matter.  
  
You can cause it to core dump trivially in many ways. Requesting  
/foo.cgi makes it die, as does a request that is long enough to  
get an ENAMETOOLONG (causes it to try opening ""), or even longer  
(causes it to die with an assertion failure):  
  
Assertion failed: buffer && len > 0 && timeout >= 0, file ../dwhttpd/dwsocket.cc, line 294\n  
  
All of the above is lame and can possibly result in some security  
problems, but since this server obviously isn't intended to have any  
real use then the DoS attacks aren't overly serious. None of these  
appear to be buffer overflow problems.  
  
More serious, however, is this excerpt from a truss of it handling  
a request:  
  
poll(0xDED00A60, 1, 120000) = 1  
recv(12, " G E T / H T T P / 1".., 4096, 0) = 261  
xstat(2, "/usr/lib/ab2/data/docs/", 0xDED03BB4) = 0  
xstat(2, "/tmp/ecm/utf8.so", 0xDED03024) Err#2 ENOENT  
xstat(2, "/usr/lib/ab2/lib/ecm/utf8.so", 0xDED03024) Err#2 ENOENT  
xstat(2, "/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", 0xDED03024) = 0  
open("/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", O_RDONLY) = 13  
  
Why the heck is it trying to open a shared library under /tmp?  
I see nothing stopping me from creating my own trojaned utf8.so  
and putting it in /tmp/ecm to gain easy access to the daemon  
uid. I don't think I did anything locally to cause it to do  
this, but I can't see where it is getting /tmp from either.  
It isn't in the LD_LIBRARY_PATH that is getting set by  
/etc/init.d/ab2mgr.  
  
No, access to daemon doesn't give you that much (although it could  
do more if you had some NFS mounts from another server where it  
did matter) and none of the above is a remote exploit, but finding  
all this in 15 minutes of looking is enough to convince me that  
there is a high probability of their being some yet-unpublished  
remote exploit to gain access to the box remotely. Doesn't look  
like a very professional piece of software. Just another thing on  
my list of things to disable on any Solaris installation.  
  
Some of this may be x86 specific, didn't bother to look on a sparc  
box.  
  
Tests done on the below system:  
  
Hostname: apollo  
Hostid: 208316d8  
Release: 5.6  
Kernel architecture: i86pc  
Application architecture: i386  
Hardware provider:  
Domain:  
Kernel version: SunOS 5.6 Generic 105182-04 January 1998  
  
OpenWindows version:  
OpenWindows Version 3.6 7 July 1997  
Patch: 105402-07 Obsoletes: 105525-01 Requires: Incompatibles: Packages: SUNWcsu, SUNWarc, SUNWnisu  
Patch: 105217-03 Obsoletes: Requires: 105402-07 Incompatibles: Packages: SUNWcsu  
Patch: 105394-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105519-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105666-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105668-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105616-03 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105622-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc  
Patch: 105687-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105756-03 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105737-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105758-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105747-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105725-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105723-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105719-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105569-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105563-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWnisu  
Patch: 105517-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105491-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc, SUNWbtool, SUNWhea, SUNWtoo, SUNWosdem  
Patch: 105406-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc  
Patch: 105398-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu  
Patch: 105211-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcsu, SUNWarc  
Patch: 105423-04 Obsoletes: Requires: Incompatibles: Packages: SUNWcar  
Patch: 105461-01 Obsoletes: Requires: Incompatibles: Packages: SUNWcar  
Patch: 105182-04 Obsoletes: Requires: Incompatibles: Packages: SUNWcar, SUNWcar, SUNWhea, SUNWhea  
Patch: 105639-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcar  
Patch: 105620-01 Obsoletes: Requires: Incompatibles: Packages: SUNWxwplt  
Patch: 105670-02 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas  
Patch: 105631-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas  
Patch: 105161-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtbas  
Patch: 105417-01 Obsoletes: Requires: Incompatibles: Packages: SUNWaccu  
Patch: 105801-01 Obsoletes: Requires: Incompatibles: Packages: SUNWadmap  
Patch: 105229-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105305-03 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105240-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr  
Patch: 105232-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr  
Patch: 105596-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105584-09 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105599-09 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 105656-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105226-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 105247-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWpsdcr  
Patch: 105248-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 105674-03 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 105728-07 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 105611-02 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r, SUNWman  
Patch: 106189-01 Obsoletes: Requires: Incompatibles: Packages: SUNWos86r  
Patch: 105422-01 Obsoletes: Requires: Incompatibles: Packages: SUNWapppr  
Patch: 105473-01 Obsoletes: Requires: Incompatibles: Packages: SUNWatfsu  
Patch: 105838-02 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdte  
Patch: 105704-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdte  
Patch: 105567-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdmn  
Patch: 105498-01 Obsoletes: Requires: Incompatibles: Packages: SUNWoldst  
Patch: 105559-01 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdst  
Patch: 105339-04 Obsoletes: Requires: Incompatibles: Packages: SUNWdtdst, SUNWdthev, SUNWdtma  
Patch: 105744-01 Obsoletes: Requires: Incompatibles: Packages: SUNWfns  
Patch: 105200-03 Obsoletes: Requires: Incompatibles: Packages: SUNWxwpls, SUNWxwscf  
Patch: 105194-03 Obsoletes: 103500-08 Requires: Incompatibles: Packages: SUNWxwpls  
Patch: 105553-01 Obsoletes: Requires: Incompatibles: Packages: SUNWnisu  
Patch: 105404-01 Obsoletes: Requires: Incompatibles: Packages: SUNWnisu  
Patch: 105617-02 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr  
Patch: 106136-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr  
Patch: 106203-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdcr  
Patch: 105209-01 Obsoletes: Requires: Incompatibles: Packages: SUNWpsdpr  
Patch: 106126-02 Obsoletes: Requires: Incompatibles: Packages: SUNWswmt  
Patch: 105427-01 Obsoletes: Requires: Incompatibles: Packages: SUNWtnfc  
Patch: 105408-01 Obsoletes: Requires: Incompatibles: Packages: SUNWvolu  
Patch: 105201-01 Obsoletes: Requires: Incompatibles: Packages: SUNWxi18n  
  
  
`