CVE-1999-1416
CVSS5.0
发布时间 :1998-08-23 00:00:00
修订时间 :2008-09-10 15:01:54
NMCOS    

[原文]AnswerBook2 (AB2) web server dwhttpd 3.1a4 allows remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large content-length.


[CNNVD]Solaris ab2 (DynaWeb) Server DoS &潜在木马漏洞(CNNVD-199808-013)

        AnswerBook2 (AB2)网络服务器dwhttpd 3.1a4版本中存在漏洞。远程攻击者通过一条带有大的内容长度的HTTP POST请求导致服务拒绝(资源耗尽)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1416
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1416
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199808-013
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/253
(UNKNOWN)  BID  253
http://www.securityfocus.com/archive/1/10383
(VENDOR_ADVISORY)  BUGTRAQ  19980823 Solaris ab2 web server is junk

- 漏洞信息

Solaris ab2 (DynaWeb) Server DoS &潜在木马漏洞
中危 其他
1998-08-23 00:00:00 2006-08-16 00:00:00
远程※本地  
        AnswerBook2 (AB2)网络服务器dwhttpd 3.1a4版本中存在漏洞。远程攻击者通过一条带有大的内容长度的HTTP POST请求导致服务拒绝(资源耗尽)。

- 公告与补丁

        AB2 technology is a third-party product from INSO who provides 'dwhttpd' as part of their DynaWeb toolkit. DynaWeb is an implementation of dynamic hypertext, where there are no preexisting web pages. Instead, the pages that you see are constructed on the fly by searching for the most relevant documents based on the links that you select.
        This bug is apparently fixed in Solaris 2.7. It is unknown if INSO updated the DynaWeb package for external release.

- 漏洞信息

10878
Sun AnswerBook2 Web Server dwhttpd Malformed Content-Length DoS
Remote / Network Access Denial of Service
Loss of Availability Patch / RCS
Vendor Verified

- 漏洞描述

AnswerBook2 contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user submits a POST request with an overly large content length, and will result in loss of availability for the service.

- 时间线

1998-08-23 Unknow
Unknow 1998-11-01

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems, Inc. has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Solaris ab2 (DynaWeb) Server DoS & Possible Trojan Vulnerability
Failure to Handle Exceptional Conditions 253
Yes Yes
1998-04-30 12:00:00 2007-11-15 12:39:00
This vulnerability was initially forwarded to the Bugtraq mailing list by Jamie Lawrence <jal@THIRDAGE.COM> Thu, 30 Apr 1998 (the actual forwarded message was written by Thomas Anders <anders@hmi.de>). On Sun, 23 Aug 1998, Marc Slemko <marcs@ZNEP.COM> sent

- 受影响的程序版本

Sun Solaris 2.6_x86
Sun Solaris 2.6
Inso dwhttpd 3.1 a4
+ Sun SUNWab2u 1.19
Sun Solaris 7.0_x86
Sun Solaris 7.0

- 不受影响的程序版本

Sun Solaris 7.0_x86
Sun Solaris 7.0

- 漏洞讨论

A denial-of-service attack and a possible trojan-insertion attack have been found in dwhttpd/3.1a4 (answerbook webserver).

At least two users reported this bug to Bugtraq and to Sun. The following database entry is a summary of their messages. The actual messages in their entirety are included in the Credit section of this database entry.

- - - - - - - - - -
It seems to be trivial to force dwhttpd to stop processing CGI requests by doing a POST with a large content-length; further CGI requests then fail with the following message:

HTTP/1.0 500 Server Error
Server: dwhttpd/3.1a4 (Inso; sun5)
[...]

The server currently lacks the resources needed to handle your request.
Please try again later.

The affected dwhttpd process will eat one cpu, with possible impact on other services. (MP machines will still have some cpus available.)

Furthermore it doesn't seem to handle %-encoding and logs in a bizzarre way , which results in URLs with printf-style '%' strings in them getting odd log entries. For example, accessing

http://apollo:8888/foo/%s

gives a log entry of:

http-8888 [02/May/2000:00:24:12 -0600] warning: send-file reports: The requested8ãÿ�$þ�G���������ªä¾���" could not be opened!

It is interpreting the %s as a printf style format string. This could, if you can find the right error message and have the right memory accessed, possibly compromise information from the address space of the server that shouldn't be compromised. Not likely, but possible. Note that this mishandling of %-encoded strings also rejects valid requests that are % encoded, but the server doesn't even start to be HTTP compliant so that probably doesn't matter.

You can cause it to core dump trivially in many ways. Requesting /foo.cgi makes it die, as does a request that is long enough to get an ENAMETOOLONG (causes it to try opening ""), or even longer (causes it to die with an assertion failure):

Assertion failed: buffer && len > 0 && timeout >= 0, file ../dwhttpd/dwsocket.cc, line 294\n

All of the above can possibly result in some security problems. None of these appear to be buffer overflow problems. More serious, however, is this excerpt from a truss of it handling a request:

poll(0xDED00A60, 1, 120000) = 1
recv(12, " G E T / H T T P / 1".., 4096, 0) = 261
xstat(2, "/usr/lib/ab2/data/docs/", 0xDED03BB4) = 0
xstat(2, "/tmp/ecm/utf8.so", 0xDED03024) Err#2 ENOENT
xstat(2, "/usr/lib/ab2/lib/ecm/utf8.so", 0xDED03024) Err#2 ENOENT
xstat(2, "/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", 0xDED03024) = 0
open("/usr/lib/ab2/dweb/sunos5/lib/ecm/utf8.so", O_RDONLY) = 13

This is dangerous in that it seems to be access (or open) a shared library in /tmp:

xstat(2, "/tmp/ecm/utf8.so", 0xDED03024) Err#2 ENOENT

This could in theory allow a hostile user to install a trojan libaray in the /tmp/ecm directory replacing utf8.so and allowing them to leverage access at which dwhttpd is run as.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

AB2 technology is a third-party product from INSO who provides 'dwhttpd' as part of their DynaWeb toolkit. DynaWeb is an implementation of dynamic hypertext, where there are no preexisting web pages. Instead, the pages that you see are constructed on the fly by searching for the most relevant documents based on the links that you select.

This bug is apparently fixed in Solaris 2.7. It is unknown if INSO updated the DynaWeb package for external release.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站