From weld@vulnwatch.org Thu Jan 10 00:39:00 2002 From: Chris Wysopal To: vulnwatch@vulnwatch.org Date: Wed, 9 Jan 2002 16:43:47 +0000 (GMT) Subject: [VulnWatch] Netscape ?wp-html-rend denial of service attack ProCheckUp Security Bulletin PR01-04 CERT: VU#191763 Description: Netscape ?wp-html-rend denial of service attack Date: 30/07/2001 Date Public: 08/01/2002 Application: Netscape Enterprise 4.0 SP2,SP6 to 4.1 SP8 Platform: Windows NT Severity: Remote attackers can shut down servers remotely Author: Richard Brain Vendor Status: Netscape has released a fix CVE Candidate: Not assigned Description: Remote attackers can easily disable unpatched Netscape Enterprise servers running on Windows NT with publishing enabled. http://server/?wp-html-rend is entered in the WebBrowser, it might need to be entered multiple times to stop the service. Consequences: Remote attackers can easily perform a denial of service attack on Netscape Enterprise servers running with Windows NT. Detailed description: Netscape Enterprise has a selection of ?wp-* (Web publishing) commands built into the web server. We have found using one of these commands ?wp-html-rend reliably performs a denial of service attack, by stopping the running Netscape Enterprise service (v4.0) Or the iWS service (v4.1) Publishing needs to be enabled for this to work. Netscape 4.0 SP6 seems to be less susceptible requiring multiple ?wp-html-rend requests to crash. The service has to be restarted manually, for the server to function properly again. We do not believe it is possible to use this exploit to remotely execute code. ?wp-html-rend is one of the wp command's, provided by Netscapes content_mgr.dll To discover if publishing is enabled without crashing your NT servers, enter the following url http://server/publisher if publishing is enabled a page should appear. Our test platforms for this vulnerability were conducted on Intel NT4 SP6 server, and Sparc Solaris Server 2.6. Solution: The ?wp-html-rend command is not useful in iWS 4.x. You can disable it by using the attached NSAPI SAF. To install the SAF, load the disrend.dll on your system and add the following lines to your obj.conf. The PathCheck line should be the first PathCheck listed. Init fn="load-modules" funcs="disRend" shlib="/disrend.dll" PathCheck fn="disRend" Attached file: Netscape has released the file disrend.dll Further information: To see the vulnerability release go to iPlanet/7761 or CERT/191763 For related topics go to iPlanet/4302 Legal: Copyright 2001 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.