what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 7

Rapid7 Security Advisory 7
Posted Oct 25, 2002
Authored by Rapid7 | Site rapid7.com

Rapid 7 Advisory R7-0007 - The Caching Proxy component of IBM's WebSphere Edge Server v2.0 is vulnerable to a denial-of-service attack against one of the default CGI programs. A malformed HTTP request for /cgi-bin/helpout.exe will cause ibmproxy.exe to crash and cease functioning.

tags | web, cgi
SHA-256 | d5444f4faa351e594a4559c2bf2fb5cf0491766c5ae89f6adfc2ce7c94802ffe

Rapid7 Security Advisory 7

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
Rapid 7, Inc. Security Advisory

Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0007
IBM WebSphere Edge Server Caching Proxy Denial of Service

Published: October 23, 2002
Revision: 1.0
http://www.rapid7.com/advisories/R7-0007.txt

IBM: APAR# IY35970

CVE: CAN-2002-1169
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1169

Bugtraq: 6002
http://online.securityfocus.com/bid/6002

1. Affected system(s):

KNOWN VULNERABLE:
o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
with IBM WebSphere Edge Server v2.0)
o IBM Web Traffic Express Caching Proxy Server v3.6

2. Summary

The Caching Proxy component of IBM's WebSphere Edge Server v2.0 is
vulnerable to a denial-of-service attack against one of the default
CGI programs. A malformed HTTP request for /cgi-bin/helpout.exe
will cause ibmproxy.exe to crash and cease functioning.

IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
v2.0. IBM Web Traffic Express v3.6 and earlier were separately
shipping products.

3. Vendor status and information

IBM Software
http://www-3.ibm.com/software/webservers/edgeserver/index.html

IBM was notified of this issue and has released efix build number
4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue
and other security issues (see Rapid 7 advisory R7-0008 for more
information: http://www.rapid7.com/advisories/R7-0008.txt ).

IBM is tracking this issue as APAR# IY35970.

4. Solution

IBM customers should install Caching Proxy efix build 4.0.1.26 or
higher. Efix builds can be downloaded from IBM's secure FTP site.
For more information on obtaining efix builds, contact IBM support
with the APAR number listed above.

This fix has also been ported back to the Web Traffic Express v3.6
code base. Customers running v3.6 should contact IBM support for
more information on how to upgrade to a newer build.

As a temporary workaround, you can move the file /cgi-bin/helpout.exe
to a non-executable directory until the fix has been applied.

5. Detailed analysis

The proxy server will crash when /cgi-bin/helpout.exe is the subject of
an HTTP request that does not include an HTTP version specifier at the
end of the request line.

If you include a version specifier (e.g. "HTTP/1.0"), helpout.exe
will successfully serve up a blank page.

[~] $ telnet localhost 80
Trying 127.0.0.1...
Connected to proxy.victim.com.
Escape character is '^]'.
GET /cgi-bin/helpout.exe HTTP/1.0

HTTP/1.1 200 Document follows
Pragma: no-cache
Last-Modified: Fri, 18 Oct 2002 16:54:40 GMT
Content-Type: text/html
Accept-Ranges: bytes
Connection: close
Date: Fri, 18 Oct 2002 16:54:40 GMT
Server: IBM-PROXY-WTE/2.0

Connection closed by foreign host.

If you send a request with no version specifier, or with a version
specifier that does not include a forward slash (e.g. "HTTP" or ""),
ibmproxy.exe will crash, closing all connections:

[~] $ telnet localhost 80
Trying 127.0.0.1...
Connected to proxy.victim.com.
Escape character is '^]'.
GET /cgi-bin/helpout.exe HTTP

Connection closed by foreign host.

An exception dialog will be displayed on the server console, reading:

ibmproxy.exe - Application Error
The instruction at "0x002662ac" referenced memory at "0x00000000".
The
memory could not be "read".

The access violation occurs within the WHTTPD.DLL module.

6. Contact Information

Rapid 7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700

7. Disclaimer and Copyright

Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.

This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9tuwMcL76DCfug6wRAioTAJ91LNRpu30YE5LV9lTjnCzlTx4EewCgpt2q
7qnbIzCEw4FROK1eRW2NtoM=
=SlFt
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close