Buffer Overflow in Web Connector Module of Application Server

Category
Security

Release Phase
Resolved

Bug Id
4652612

Date of Resolved Release
24-MAR-2003

Impact

A buffer overflow exists in the Web Connector Plugin that ships with the Sun ONE Application Server 6.x product line. This Web Connector Plugin enables integration between a web server and the Sun ONE Application Server. Incoming HTTP request URLs are handled by this module and an unbounded string operation can cause a overflow. It may be possible to crash the web server being used and potentially gain control of that web server.

Sun acknowledges, with thanks, @stake for bringing this issue to our attention and for suggesting the basis of the workaround .

This issue is described in the @stake Security Advisory located at: http://www.atstake.com/research/advisories/2003/a031303-1.txt.

Contributing Factors

This issue can occur in the following releases:

Versions of the Sun ONE Application Server impacted:

Sun ONE/iPlanet Application Server 6.0
Sun ONE/iPlanet Application Server 6.0 Service pack 1
Sun ONE/iPlanet Application Server 6.0 Service pack 2
Sun ONE/iPlanet Application Server 6.0 Service pack 3
Sun ONE/iPlanet Application Server 6.0 Service pack 4
Sun ONE/iPlanet Application Server 6.5
Sun ONE/iPlanet Application Server 6.5 Maintenance Update 1
Sun ONE/iPlanet Application Server 6.5 Maintenance Update 2

The following web servers on all supported platforms are impacted when the web connector plugin is installed:

Sun ONE/iPlanet Web Server
Microsoft IIS
Apache

Note: The exact web server versions are listed in the release notes for each version of the Sun ONE Application Server. There is no bug in the web server product.

Versions of the Sun ONE Application Server that are NOT impacted:

Sun ONE Application Server 6.5 Maintenance Update 3
Sun ONE/iPlanet Application Server 6.5 SP1
Sun ONE Application Server 7 Platform Edition
Sun ONE Application Server 7 Standard Edition

Symptoms

The web server may exit abnormally ("crash").

Workaround

The following patches are available:

http://wwws.sun.com/software/download/products/3e7a563d.html

Instructions to apply the patches/workarounds:

Note: For windows it would be a "DLL" instead of an "so" file. README files are attached with the patches.

Sun ONE/iPlanet Web Server 4.1 Service Pack 1 through 12:

In the config directory of the particular webserver instance, (e.g. iws4.13/https-ias/config), make the following two changes in the "obj.conf" file:

1) Add the following entry:

	Init fn="load-modules" shlib="<path to location of patch>/nsapipatch.so" funcs="check_uri_length"

Ensure that the line is added before the existing Init entries.

2) Add the following entry within the <Object name=default> section, as the first line of the section:

	NameTrans fn="check_uri_length" maxlength=255

Now the "obj.conf" file will contain something like the following:

	...
	Init fn="load-modules" shlib="/<path to location of patch><nsapipatch.so" funcs="check_uri_length"
	...
	<Object name=default>
	NameTrans fn="check_uri_length" maxlength=255
	...
	</Object>

Restart the webserver instance. The "maxlength" value must be set to 255 to protect the web server from this buffer overflow.

Sun ONE/iPlanet Web Server 6.0 Service Pack 1 through 5 "download":

In the config directory of the particular webserver instance, (e.g. iws6.0sp2b/https-ias/config), add the following entry in the "magnus.conf" file such that this entry appears before the iAS webconnector plugin entries:

	Init fn="load-modules" shlib="<path to location of patch>/nsapipatch.so" funcs="check_uri_length"

Add the following entry in the "obj.conf" file within <Object name=default> section as the first entry:

	NameTrans fn="check_uri_length" maxlength=255

Now the "obj.conf" file will contain something like the following:

	 <Object name=default>
NameTrans fn="check_uri_length" maxlength=255
...
</Object>

Restart the webserver instance. The "maxlength" value must be set to 255 to protect the web server from this buffer overflow.

Microsoft IIS(only for Windows) users :

Copy "iispatch.dll" to a suitable directory, for example, C:\winnt\system32\iispatch.dll. Goto Windows Registry HK_LOCAL_MACHINE /SYSTEM/CurrentControlSet/Services/W3SVC/Parameters. Edit "Filter DLLs" key. Prepend the value by the above path followed by a comma(','). Now the new registry value looks like the following:

	C:\winnt\system32\iispatch.dll,c:\inetpub\wwwroot\cgi-bin\gx.dl

Restart the webserver instance.

Apache Web Server:

Edit the "httpd.conf" file and add the line "LimitRequestLine 255". Restart the webserver.

Notes: In addition to the patches/workarounds mentioned above, the following configuration can be used on Solaris platforms .

Some relief to the buffer overflow is available by enabling non-executable user stacks (although this does not provide 100 percent protection against exploitation of this vulnerability, it makes the likelihood of a successful exploit much smaller). This workaround is only effective on sun4u, sun4m, and sun4d architectures (enter "uname -m" to display a systems architecture). This workaround will not work on Intel platforms.

To enable non-executable program stacks add the following lines to the "/etc/system" file and reboot the system:

	set noexec_user_stack = 1
set noexec_user_stack_log = 1

On other operating systems, workarounds may exist and please follow guidelines from respective vendors.

Resolution

This issue is addressed in the following releases:

Sun ONE Application Server 6.5 Maintenance Update 3
Sun ONE Application Server 6.5 Service Pack 1

Available at: http://wwws.sun.com/software/download/app_servers.html.

Modification History

Product
Sun ONE Application Server 6.5, Enterprise Edition

Attachments

This solution has no attachment