Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

Sun(TM) ONE / iPlanet Web Server 4.1 and 6.0 Remote Buffer Overflow

by Nikola Strahija on August 9th, 2002 A vulnerability in transfer chunking can be exploited to remotely execute code of an attacker's choice on a vulnerable machine. By sending a carefully crafted session, an attacker can overwrite a section of the heap. Various data structures in the overwritten heap can be manipulated to move attacker supplied data to attacker supplied memory addresses, thereby altering the flow of execution into an attacker supplied payload.


Note this variant is not the integer overflow affecting IIS and Apache that
was discovered during regression testing with Microsoft. This is another
variant relating to incorrect size calculation.

The following example will show the vulnerable condition:

**************Begin Session****************
POST /EEYE.html HTTP/1.1
Host: www.EEYE2002.com
Transfer-Encoding: chunked
Content-Length: 22

4
EEYE
7FFFFFFF
[DATA]
**************End Session******************

[DATA] will overwrite heap memory. Increase or decrease depending on
implementation.

Technical Description:
The example session above overwrites a section of the heap that contains
data structures related to the Memory management system. By manipulating the
content of these structures, we can overwrite an arbitrary 4 bytes of memory
with an attacker supplied address.

It is widely assumed that the risk for these type of vulnerabilities is
fairly low due to the fact that addressing is dynamic and that you must use
brute force in your attack; however, this is false assumption and
exploitation can be successful with one attempt, across dll versions. An
attacker can overwrite static global variables, stored function pointers,
process management structures, memory management structures, or any number
of data types that will allow him to gain control of the target application
in one session.

Vendor Status:
Sun has released a security bulletin and patch:
http://www.sun.com/service/support/software/iplanet/alerts/transferencodinga
lert-23july2002.html

Credit: Riley Hassell


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »