SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Web Traffic Express Vendors:  IBM
IBM Web Traffic Express Caching Proxy Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1005471
CVE Reference:  CAN-2002-1169   (Links to External Site)
Updated:  Oct 23 2002
Original Entry Date:  Oct 23 2002
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Rapid 7
Version(s): 3.6, 4.x
Description:  A denial of service vulnerability was reported in IBM's Web Traffic Express Caching Proxy Server. A remote user can cause the server to crash.

Rapid 7 issued and advisory warning that a remote user can send a specially crafted, malformed HTTP request for /cgi-bin/helpout.exe to cause ibmproxy.exe to crash. If the request is supplied without an HTTP version specifier or with a malformed version specifier at the end of the request line, an access violation will occur in the WHTTPD.DLL module.
Impact:  A remote user can cause the service to crash.
Solution:  IBM has released efix build number 4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue and other security issues. IBM has assigned APAR# IY35970 to this issue.

IBM customers should install Caching Proxy efix build 4.0.1.26 or higher.

According to the report, this fix has also been ported back to the Web Traffic Express v3.6 code base. Customers running v3.6 can contact IBM support for more information on how to upgrade.

As a temporary workaround, Rapid 7 indicates that users can move the file /cgi-bin/helpout.exe to a non-executable directory until the fix has been applied.
Vendor URL:  www-3.ibm.com/software/webservers/wte/ (Links to External Site)
Cause:  Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (NT)
Reported By:  "Rapid 7 Security Advisories" <advisory@rapid7.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 23 Oct 2002 12:08:39 -0700
From:  "Rapid 7 Security Advisories" <advisory@rapid7.com>
Subject:  [VulnWatch] R7-0007: IBM WebSphere Edge Server Caching Proxy Denial of Service

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________
                     Rapid 7, Inc. Security Advisory

        Visit http://www.rapid7.com/ to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!
_______________________________________________________________________

Rapid 7 Advisory R7-0007
IBM WebSphere Edge Server Caching Proxy Denial of Service

   Published:  October 23, 2002
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0007.txt

   IBM:        APAR# IY35970

   CVE:        CAN-2002-1169
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1169

   Bugtraq:    6002
   http://online.securityfocus.com/bid/6002

1. Affected system(s):

   KNOWN VULNERABLE:
    o IBM Web Traffic Express Caching Proxy Server v4.x (bundled
      with IBM WebSphere Edge Server v2.0)
    o IBM Web Traffic Express Caching Proxy Server v3.6

2. Summary

   The Caching Proxy component of IBM's WebSphere Edge Server v2.0 is
   vulnerable to a denial-of-service attack against one of the default
   CGI programs.  A malformed HTTP request for /cgi-bin/helpout.exe
   will cause ibmproxy.exe to crash and cease functioning.

   IBM now bundles Web Traffic Express v4.0 with WebSphere Edge Server
   v2.0.  IBM Web Traffic Express v3.6 and earlier were separately
   shipping products. 

3. Vendor status and information

   IBM Software
   http://www-3.ibm.com/software/webservers/edgeserver/index.html

      IBM was notified of this issue and has released efix build number
      4.0.1.26 for Caching Proxy Server v4.x, which fixes this issue
      and other security issues (see Rapid 7 advisory R7-0008 for more
      information: http://www.rapid7.com/advisories/R7-0008.txt ).

      IBM is tracking this issue as APAR# IY35970.

4. Solution

   IBM customers should install Caching Proxy efix build 4.0.1.26 or
   higher.  Efix builds can be downloaded from IBM's secure FTP site.
   For more information on obtaining efix builds, contact IBM support
   with the APAR number listed above.

   This fix has also been ported back to the Web Traffic Express v3.6
   code base.  Customers running v3.6 should contact IBM support for
   more information on how to upgrade to a newer build.

   As a temporary workaround, you can move the file /cgi-bin/helpout.exe
   to a non-executable directory until the fix has been applied.

5. Detailed analysis

   The proxy server will crash when /cgi-bin/helpout.exe is the subject of
   an HTTP request that does not include an HTTP version specifier at the
   end of the request line.

   If you include a version specifier (e.g. "HTTP/1.0"), helpout.exe
   will successfully serve up a blank page.

      [~] $ telnet localhost 80
      Trying 127.0.0.1...
      Connected to proxy.victim.com.
      Escape character is '^]'.
      GET /cgi-bin/helpout.exe HTTP/1.0

      HTTP/1.1 200 Document follows
      Pragma: no-cache
      Last-Modified: Fri, 18 Oct 2002 16:54:40 GMT
      Content-Type: text/html
      Accept-Ranges: bytes
      Connection: close
      Date: Fri, 18 Oct 2002 16:54:40 GMT
      Server: IBM-PROXY-WTE/2.0

      Connection closed by foreign host.

   If you send a request with no version specifier, or with a version
   specifier that does not include a forward slash (e.g. "HTTP" or ""),
   ibmproxy.exe will crash, closing all connections:

      [~] $ telnet localhost 80
      Trying 127.0.0.1...
      Connected to proxy.victim.com.
      Escape character is '^]'.
      GET /cgi-bin/helpout.exe HTTP

      Connection closed by foreign host.

   An exception dialog will be displayed on the server console, reading:

      ibmproxy.exe - Application Error
      The instruction at "0x002662ac" referenced memory at "0x00000000". 
The
      memory could not be "read".

   The access violation occurs within the WHTTPD.DLL module.

6. Contact Information

   Rapid 7 Security Advisories
   Email:   advisory@rapid7.com
   Web:     http://www.rapid7.com/
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories.  These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information.  Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9tuwMcL76DCfug6wRAioTAJ91LNRpu30YE5LV9lTjnCzlTx4EewCgpt2q
7qnbIzCEw4FROK1eRW2NtoM=
=SlFt
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC