[ http://www.rootshell.com/ ] Sender: sun-managers-relay@ra.mcs.anl.gov Date: Thu, 30 Apr 1998 12:00:53 +0200 From: anders@hmi.de (Thomas Anders) Subject: SUMMARY/WARNING: AnswerBook2 DoS bug Hello, already in December 1997 I discovered a serious bug in the AnswerBook2 server dwhttpd/3.1a4 that ships with Solaris 2.6 (server edition). With a simple socket connection to the AB2 port (default: 8888), *anyone* on the network with access to that port (default: everybody, see below) can bring the server to spin and deny further responses: - --- snip --- HTTP/1.0 500 Server Error Server: dwhttpd/3.1a4 (Inso; sun5) [...] The server currently lacks the resources needed to handle your request. Please try again later. - --- snap --- The affected dwhttpd process will eat one cpu, with possible impact on other services. (MP machines will still have some cpus available.) I reported this to Sun who filed a bug report bug/sherlock/server/4099376 HTTP 1.0 HEAD request brings the dwhttpd to spin and assigned priority "fix within 3 months". AB2 technology is a third-party product, so Sun filed a bug with Inso who provides dwhttpd as part of their DynaWeb toolkit. Five months later (!) now they finally claim: it's fixed in dwhttpd/4.0 which will ship with Solaris 2.7. Still no patch for the existing AB2 package! What you can do: Q: Do I run dwhttpd? A: Check for packages SUNWab2r, SUNWab2s and SUNWab2u. Check if dwhttpd is invoked at system startup (/etc/rc2.d/S96ab2mgr) Check with "ps -ef | grep dwhttpd" Q: Is my AB2 server really vulnerable? A: If you don't believe it, check yourself - the source code for a sample "AB2 DoS attack program" (that I gave Sun to reproduce the bug) is included in the bug report (wow - Sun publishes exploit scripts!). Q: I'm vulnerable - what can I do? A: 1. The only real fix is "/etc/init.d/ab2mgr stop" (which is a DoS itself :) 2. Restrict the access to your AB2 server port to particular clients (e.g. intranet only) by tcp-wrapper or firewall setup. *** 3. Get nervous, call Sun, request a patch for this bug now. *** I hope we can get Sun/Inso to produce a *patch* soon. If there are any substantial news I will summarize again. Best regards, Thomas -- Thomas Anders Hahn-Meitner-Institut Berlin, Germany