COMMAND

    netscape

SYSTEMS AFFECTED

    - Netscape Certificate Management System 4.2 (Microsoft Windows NT 4.0 version)
    - Netscape Directory Server 4.12 (Microsoft NT 4.0 version)

PROBLEM

    Following  is   based  on   a  CORE   SDI  Vulnerability    Report
    CORE-2000103102.   Communications  with   the  vendor  have   been
    remarkably difficult  and to  a large  degree unproductive.   Last
    point of contact  was October 18,  2000.  This  last communication
    stated that they would getting back to SDI shortly.  Nothing!

    A  bug  in  several  components  of  the Netscape Servers suite of
    products allows and attacker  to successfully conduct a  denial of
    service  attack  against  the  vulnerable  systems.   The Netscape
    Certificate Management System  has also several  server components
    that share the problem.

    This vulnerability  was found  by Emiliano  Kargieman and  Agustin
    Kato Azubel from Core SDI S.A.

    The Netscape Directory Server 4.12 provides a Web to LDAP gateway,
    by  means  of  the  Directory  Services Gateway (DSGW) web server.
    No  authentication  credentials  are  required  from the client to
    access DSGW.  The  same service is installed  and used as part  of
    the Certificate Management  System (Netscape/iPlanet CMS  4.2) and
    in  this  case  it  listens  on  a  tcp  port  chosen  during  the
    installation process (24326/tcp in this example).

    A request with an URI as follows:

        http://server:24326/dsgw/bin/search?context=%

    will trigger an  exception at 0x00403c62  and cause the  server to
    hang and stop servicing requests until the exception generated  is
    dismissed.   The same  problem is  present in  all the binaries in
    the  Netscape\Server4\dsgw\bin   directory   (auth,csearch,dnedit,
    doauth,domodify,dosearch,edit,lang,newentry,search,unauth), except
    for the program 'tutor'.

    The '%'  can be  replaced by  any string  with a  non-alphanumeric
    character  in  it,  except  for  '_'  and  '-'.  The string length
    doesn't matter in this specific  problem, as shown in the  example
    above, a string of just one non-alphanumeric character is enough.

    The  problem  lies  in  a  function  that  uses  a  buffer that is
    allocated  if  the  string  after  'context=' is alphanumeric, but
    isn't if the string is non-alphanumeric.

SOLUTION

    Contact the vendor for a fix.