exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nai.99-02-16.nfr.web.server

nai.99-02-16.nfr.web.server
Posted Sep 23, 1999

NFR web server advisory.

tags | web
SHA-256 | 21398862fb726565080f4645b477b379533da2e791d38ed60f4d80f2f0ead4b0

nai.99-02-16.nfr.web.server

Change Mirror Download
=======================================================================

Network Associates, Inc.
SECURITY ADVISORY
February 16, 1999

EMERGENCY RELEASE

Stack Overflow in NFR Web Server

=======================================================================

SYNOPSIS

An implementation fault in the Network Flight Recorder network forensics
system makes it possible for a remote attacker to obtain system management
privileges on boxes running NFR in a standard configuration. Information
sufficient to construct working exploits for this problem is publicly
available.

=======================================================================

VULNERABLE HOSTS

This problem has been confirmed and is known to be exploitable on hosts
running Network Flight Recorder's NFR 2.0.2-Research release. Because
source code is publicly available for this software, it is possible to
confirm vulnerability to this problem by inspecting the source used to
build an installation of NFR on an arbitrary host. Details on how to do
this, as well as how to immediately resolve this problem, appear later in
this document.

=======================================================================

DETAILS

The Network Flight Recorder custom web server is used to present an HTTP
front-end to the NFR system. By default, the web server is called "webd",
and is bound to TCP port 2001. In the absence of external network access
control, arbitrary remote attackers can conduct transactions with the NFR
web server.

Due to an implementation fault in "webd", it is possible for a remote
attacker to formulate an HTTP transaction that will cause the web server
to overflow an automatic variable on the stack. By overwriting activation
records stored on the stack, it is possible to force a transfer of control
into arbitrary instructions provided by the attacker in the HTTP
transaction, and thus gain total control of the web server process.

In a default installation, "webd" runs as the unprivileged "nfr" user.
Thus, this attack does not grant an attacker immediate system management
capabilities. However, in a standard installation of NFR, program binaries
that are run by the superuser are owned by the "nfr" user. An attacker
that has gained access to the "nfr" user via the web server can backdoor
these files to gain root privileges when NFR is restarted.

=======================================================================

TECHNICAL DETAILS

Source code for the NFR system is publicly available under license from
the NFR web site. This advisory makes reference to the source code in the
NFR 2.0.2 Research release from Wed Jan 27 1999.

The vulnerability discussed in this advisory occurs as a result of
"webd"'s processing of the HTTP "POST" command. POST requests are handled
in "nfr/webd/cmdpost.c". Regardless of the configuration of the NFR
web server, the vulnerable POST handling code is exposed to remote
attackers.

The HTTP commands handled by the NFR web server are listed in the command
table, which is located in "nfr/webd/ctab.c". The command table maps HTTP
command names to function handlers. The function handler for "POST"
commands which reference programs in the root directory of the web
server is defined as "cmd_postbltin()", which is defined in "cmdpost.c".

In order to process the POST command, the function handler attempts to
read MIME headers for the POST data from the HTTP client. This is handled
in "getpostdata()", also defined in "cmdpost.c". Among the headers
recognized by the code is "Content-length", which defines the amount of
data the client is sending the server in the POST transaction.

Unfortunately, the MIME header recognition code does not sanity check the
value given as the Content-length. It is possible for an attacker to
specify an arbitrary Content-length header, which will be trusted by the
server as valid input.

After parsing MIME headers, the web daemon attempts to read as many bytes
as the client specified in the Content-length header into an 8k buffer,
named "buf", which is an automatic buffer in cmd_postbltin(). If the
attacker specifies more than 8192 bytes of data in the header, the
additional data will overwrite the stack frame for cmd_postbltin(),
allowing the attacker to take over the web daemon process.

Note that in some operating systems, causing a single read() to return
more than 8192 bytes is difficult; this problem may not be easily
exploited on these systems. This problem is known to be exploitable
against 4.4BSD Unix operating systems running NFR. This is the recommended
NFR platform.

=======================================================================

RESOLUTION

It is recommended that vulnerable users of NFR contact NFR immediately for
a patch to this problem. In the absence of an available patch, the source
code can be edited and rebuilt to resolve the problem by adding bounds
checking to cmd_getpostbltin() or getpostdata().

NFR has announced the release of a patch that will correct this problem on
February 16, 1999. This patch, which updates NFR to revision 2.0.3, should
be available at the NFR website at http://www.nfr.com.

=======================================================================

CREDITS

Analysis and documentation of this problem was conducted by the Security
Labs at Network Associates. This vulnerability was discovered, and NFR
notified, on Wednesday, January 27, 1999.

=======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most important
research in computer security today. With over 30 published security
advisories published in the last 2 years, the Network Associates security
auditing teams have been responsible for the discovery of many of the
Internet's most serious security flaws. This advisory represents our
ongoing commitment to provide critical information to the security
community.

For more information about the Security Labs at Network Associates,
see our website at http://www.nai.com or contact us at <seclabs@nai.com>.

=======================================================================


NETWORK ASSOCIATES SECURITY LABS PGP KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
-----END PGP PUBLIC KEY BLOCK-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close