COMMAND

    Netscape Enterprise and FastTrack Web Servers

SYSTEMS AFFECTED

    Netscape Enterprise 3.6sp2 and FastTrack Web 3.01 Servers

PROBLEM

    Following is based  on ISS Security  Advisory.  Netscape  produces
    web servers  and web  browsers for  individuals, small workgroups,
    and business professionals.  An  attacker can send the web  server
    an  overly  long  HTTP  GET  request,  overflowing a buffer in the
    Netscape httpd service and overwriting the process's stack.   This
    allows a sophisticated  attacker to force  the machine to  execute
    any program code that is  sent.  The ISS X-Force  has demonstrated
    that it is possible to use this vulnerability to execute arbitrary
    code as SYSTEM on the  server, giving an attacker full  control of
    the machine.

    An overflow  exists in  the "Accept"  header field,  which can  be
    exploited with any of the common request methods.  e.g:

        GET / HTTP/1.0
        Accept: (a page or so of data)

    The fact  that this  overflow also  affects other  request methods
    rather than just "GET"  leads me to believe  that this may not  be
    the same hole the xforce mentioned.  This was originally found  by
    Nobuo Miwa.   Of course, you  must be able  to execute small  code
    you like with "long Accept" command(just like htr problem on IIS).

    Green Penguin tried the vulnerability described and it works on  a
    NES 3.5.1  under Solaris  Sparc 2.5.1.   The server  crashes after
    2085 bytes.   It works  on 3.6  SP2 w/SSL  fix as  well,  segv'ing
    after 2089 bytes.

SOLUTION

    Apply the Enterprise  3.6 SP 2  SSL Handshake fix,  available from
    Netscape at:

        http://www.iplanet.com/downloads/patches/detail_12_86.html

    Netscape  2  just  finished   to  distribute  patch  for   "Accept
    overflow".   It'll be  release as  SP3 soon  (maybe they're  gonna
    release it before they planed).  It works well.