SUMMARY/WARNING: AnswerBook2 DoS bug

From: Thomas Anders (anders@hmi.de)
Date: Thu Apr 30 1998 - 05:00:53 CDT


Hello,

already in December 1997 I discovered a serious bug in the AnswerBook2
server dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition). With
a simple socket connection to the AB2 port (default: 8888), *anyone* on
the network with access to that port (default: everybody, see below) can
bring the server to spin and deny further responses:

- --- snip ---
  HTTP/1.0 500 Server Error
  Server: dwhttpd/3.1a4 (Inso; sun5)
  [...]

  The server currently lacks the resources needed to handle your request.
  Please try again later.
- --- snap ---

The affected dwhttpd process will eat one cpu, with possible impact on
other services. (MP machines will still have some cpus available.)

I reported this to Sun who filed a bug report

        bug/sherlock/server/4099376
        HTTP 1.0 HEAD request brings the dwhttpd to spin

and assigned priority "fix within 3 months". AB2 technology is a
third-party product, so Sun filed a bug with Inso who provides
dwhttpd as part of their DynaWeb toolkit. Five months later (!)
now they finally claim: it's fixed in dwhttpd/4.0 which will ship
with Solaris 2.7. Still no patch for the existing AB2 package!

What you can do:

Q: Do I run dwhttpd?
 A: Check for packages SUNWab2r, SUNWab2s and SUNWab2u.
    Check if dwhttpd is invoked at system startup (/etc/rc2.d/S96ab2mgr)
    Check with "ps -ef | grep dwhttpd"

Q: Is my AB2 server really vulnerable?
 A: If you don't believe it, check yourself - the source code for a
    sample "AB2 DoS attack program" (that I gave Sun to reproduce the bug)
    is included in the bug report (wow - Sun publishes exploit scripts!).

Q: I'm vulnerable - what can I do?
 A: 1. The only real fix is "/etc/init.d/ab2mgr stop" (which is a DoS
        itself :)
    2. Restrict the access to your AB2 server port to particular clients
       (e.g. intranet only) by tcp-wrapper or firewall setup.
*** 3. Get nervous, call Sun, request a patch for this bug now. ***

I hope we can get Sun/Inso to produce a *patch* soon.
If there are any substantial news I will summarize again.

Best regards,
Thomas

--
Thomas Anders <anders@hmi.de>
Hahn-Meitner-Institut Berlin, Germany



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:39 CDT