COMMAND

    AnswerBook2

SYSTEMS AFFECTED

    Solaris 2.6

PROBLEM

    Thomas  Anders  found  following  bug  in  the  AnswerBook2 server
    dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition).   With
    a  simple  socket  connection  to  the  AB2  port (default: 8888),
    *anyone* on the network with  access to that port (by  the default
    everybody,  see  below)  can  bring  the  server  to spin and deny
    further responses:

        HTTP/1.0 500 Server Error
        Server: dwhttpd/3.1a4 (Inso; sun5)
        [...]

        The server currently lacks the resources needed to handle your request.
        Please try again later.

    The  affected  dwhttpd  process  will  eat  one cpu, with possible
    impact on other services. (MP  machines will still have some  cpus
    available.)

Check out bug report:

        bug/sherlock/server/4099376
        HTTP 1.0 HEAD request brings the dwhttpd to spin

    The source code  for a sample  "AB2 DoS attack  program" (gaved to
    Sun to reproduce the bug) is included in the bug report.

SOLUTION

    It's fixed in dwhttpd/4.0 which will ship with Solaris 2.7.  Still
    no patch for the existing AB2 package!  The only real fix is

        /etc/init.d/ab2mgr stop

    Restrict the access to your AB2 server port to particular  clients
    (e.g. intranet only) by tcp-wrapper or firewall setup.