COMMAND

    netscape

SYSTEMS AFFECTED

    - Netscape Certificate Management System 4.2 (Microsoft Windows NT 4.0 version)
    - Netscape Directory Server 4.12 (Microsoft NT 4.0 version)

PROBLEM

    Following  is   based  on   a  CORE   SDI  Vulnerability    Report
    CORE-2000103101.     An    exploitable   heap   buffer    overflow
    vulnerability  was  discovered  in  the  Netscape Directory Server
    product.   The  Netscape  Certificate  Management  System also has
    several  server  components  that  share  the problem.  Vulnerable
    systems allow the execution of arbitrary code as the user  running
    the services.

    This vulnerability  was found  by Emiliano  Kargieman and  Agustin
    Kato Azubel from Core SDI S.A.

    The Netscape Directory Server 4.12 provides a Web to LDAP gateway,
    by means of the Directory Services Gateway (DSGW) web server.   No
    authentication credentials are required from the client to  access
    DSGW.   The same  service is  installed and  used as  part of  the
    Certificate Management  System (Netscape/iPlanet  CMS 4.2)  and in
    this case it listens on a tcp port chosen during the  installation
    process (24326/tcp in this example).

    A request with an URI as follows:

        http://server:24326/dsgw/bin/search?context=<1011 'a' chars>

    will overflow a buffer located in the heap.

    This buffer  is allocated  at 404501  with a  call to  an internal
    function  that  ends  up  calling  MSVCRT!malloc.   The  buffer is
    allocated with a fixed size of 1024 bytes.  Then at 40455B a  call
    to sprintf is made like this:

        sprintf(pFixedBuffer, "%s$$LANGDIR/%s.conf", "../context/", userbuff);

    since sprintf doesn't  do any bounds  checking, the buffer  can be
    overflowed  depending  on  the  size  of  'userbuff'  which is the
    argument  the  user  specifies  to  the  'context=' parameter when
    calling the vulnerable program. A string of 999 bytes is enough to
    overflow the 'pFixedBuffer' by 1 byte and cause an exception.

    Due  to  the  nature  of  the data overwritten, this vulnerability
    could be  exploited, being  possible to  execute arbitrary machine
    code.   The same  problem seems  to be  present in  almost all the
    binaries (12) in  the Netscape\Server4\dsgw\bin directory  (except
    for tutor).

SOLUTION

    Contact the vendor  for a fix.   Patches for iPlanet  products are
    usually available from:

        http://www.iplanet.com/downloads/patches/index.html