AnswerBook Vulnerabilities
Updated 8/9/02
CAN 2000-0696
CAN 2000-0697
Impact
Vulnerabilities in the AnswerBook server could allow
a remote attacker to execute arbitrary code.
Background
The AnswerBook2
Documentation Server from Sun
Microsystems provides access to Sun documentation using
a web browser. AnswerBook2 runs a third-party daemon called
dwhttpd.
The Problems
CAN 2000-0696
CAN 2000-0697
In August 2000, two vulnerabilities in dwhttpd
were identified.
The first could allow an attacker to create a new user,
allowing the attacker to then access the AnswerBook2
administrative interface. Once the attacker has
access to the administrative interface, the second vulnerability
could allow arbitrary commands to be executed
by creating log files whose names contain the commands
to be executed.
AnswerBook2 1.4.2 (if unpatched) and earlier versions
are affected by this vulnerability.
8/9/02
There are two newer vulnerabilities in AnswerBook. The first
is a format string vulnerability in the web server daemon (dwhttpd).
This vulnerability can be exploited to cause the web server process to
execute arbitrary code. The web server runs as user and group 'daemon'
who, under recent installations of Solaris, doesn't own any critical files.
This effectively limits the severity of the vulnerability to a remote
unprivileged shell.
The second vulnerability is that some AnswerBook Admin scripts do not
require authentication. This allows the attacker to perform administrative
functions (e.g., adding a new admin user or viewing the server's error log)
without an account.
AnswerBook2 versions 1.43 and earlier are vulnerable.
Resolutions
Upgrade
to a version of AnswerBook2 higher than
1.4.3 if available. Otherwise, upgrade to version
1.4.3 and apply the appropriate
patches
Where can I read more about this?
For more information see
Sun
Security Bulletin #00196 and the
Bugtraq advisory.