Tutorial - Potentially Vulnerable Web Server
Potentially Vulnerable Web Server
Impact
IIS:
Due to an unchecked buffer in an IIS 5.0 DLL, a maliciously crafted HTTP .print
request containing approx 420 bytes in the 'Host:' field will allow the
execution of arbitrary code. It is most commonly found on Windows 2000.
Microsoft placed a password backdoor in their IIS 4 and IIS 5 products.
Knowledge of the password can provide the user to certain Web administrater
operations.
Netscape:
Most versions of Netscape Enterprise Server Netscape prior to version 4.1
may be vulnerable to a buffer overflow attack. This includes both Netscape
and iPlanet servers.
The Oracle Application Server may also be subject to a buffer overflow when
integrated with a Netscape (iPlanet) Web Server.
WebSite Pro:
Many versions of O'Reilly's WebSitePro Server (httpd_32.exe)
may be vulnerable to a buffer overflow attack. Version 2.4.x have
been confirmed to be vulnerable. Prior versions may also be vulnerable.
BEA Weblogic:
Several buffer overflows in plugins provided by several BEA Weblogic servers
allow a remote attacker to execute arbitrary code on the system running the
proxying web server
Apache:
A condition exists in many apache servers up to and including version 1.3.13
that may enable the malicious user to read arbitrary files.
Background
IIS:
Windows 2000/IIS 5.0 Internet printing ISAPI extension contains msw3prt.dll
which handles user requests. An unchecked buffer in msw3prt.dll, will allow
the execution of arbitrary code. Typically a web server would stop responding
in a buffer overflow condition; however, once Windows 2000 detects an
unresponsive web server it automatically performs a restart. Therefore,
the administrator will be unaware of this attack.
Microsoft installed a password backdoor in IIS 4.0 and IIS 5.0 servers where
they could access and control Web servers.
Netscape:
BEA Weblogic:
These web servers can be configured to redirect requests for servlets and
JSP files to a Weblogic server running on the same or on a different host.
The net result of this is remote execution of arbitrary code as the user
running the proxying server (generally root on UNIX systems, SYSTEM on MS NT).
Apache:
If a RewriteRule directive is expressed whose result maps to a filename
containing regular expression references, the result may provide an attacker
with the ability to view arbitrary files on the host.
Resolution
IIS:
Microsoft has released a patch which rectifies the issue on the ISS 5.0 buffer
overflow at
ReleaseId 29321
Reference:
www.securityfocus.com/bid/2674
As of 15 May 2001, Microsoft has not issued an advisory on the password
backdoor. However, various CERTs have stated that Microsoft recommends
deleting the dvwssr.dll file in any of the FrontPage directories.
Netscape:
Netscape recommends that all Netscape Enterprise and FastTrack servers should
be upgraded to the relevant iPlanet release.
Reference:
X-Force advisory 39
As of 1 June 2001, no patches were identified for the Netscape/Oracle
Applications Server problem
Reference:
SecurityFocus BID 2569
WebSite Pro:
BEA Weblogic:
Apache: