COMMAND

    NetCache/NetApp

SYSTEMS AFFECTED

    NetCache/NetApp Release 3.4

PROBLEM

    Michal Zalewski found following.  NetCache by Network Appliance is
    one  of  the  most   popular  heavy-duty  commercial   proxy/cache
    application.  In fact, it's  rather poorly written.  We  can't see
    the source code,  but, some side  effects instead.   There's a lot
    of them,  but we'll  try to  focus on  something called  'internal
    requests'  -  requests  that  access  proxy itself and are handled
    specially.

    For example, by connecting to proxy server and sending

        GET http://proxy_server_itself:8080/disk_objects/help

    we'll (usually) get error message  with this URL and a  few stupid
    characters  appended  at  the  end  of  it. It won't happen if you
    specify anything after 'help' -  so I believe it's something  like
    broken sscanf() used  to determine which  help object user  wants.
    But that's not the point.

    Try appending slash and approx 10k of 'A' letters to our  request.
    In  case  of  any  other  request  treated as 'external', it might
    result only in  error message.   But in this  case, with something
    around  9850  characters,  our  connection  to  proxy  server   is
    immediately dropped...  sounds familiar?  It's an overflow.

    Another way to access it (cause crash) is something like:

        GET disk_object://xx/AAAAA...

    Btw. Are you wondering is there anything interesting available  to
    download this way? There are some pictures,

        disk_object://xx/help/graphics/help.gif

    and so on...  Aaaah, almost forgotten! Any file within disk_object
    hierarchy might be downloaded as-is by appending '/' to URL -  for
    example

        disk_object://xx/help/graphics/help.gif/

    will return  text/plain dump  of this  GIF.   This means, NetCache
    fails to  classify this  file, so  if there's  any script or other
    special object, it won't be recognized as something 'special'?

SOLUTION

    Nothing yet.