S.A.F.E.R. Security Bulletin 000309.EXP.1.4 __________________________________________________________ TITLE : Vulnerabilities in StarScheduler DATE : March 09, 2000 NATURE : Denial-of-Service, Remote Code Execution, Access to privileged files PLATFORMS : StarScheduler/StarOffice 5.1 DETAILS: StarOffice comes with a nice groupware server, called StarScheduler. It also includes a web server that is vulnerable to several security problems. PROBLEM: A buffer overflow exists in the StarScheduler web server (which listens on port 801), that can lead to remote execution of code and root access. Since the server dies, this is also a Denial-of-Service issue. The problem is in the way web server handles long requests. Sending a "GET /['A' x 933] HTTP/1.0" will crash the server. This web server is running as a root. Another silly problem exists in the server that allows any user to gain read access to files to which they normally don't have access to. Example: http://starscheduler_server:801/../../../../etc/shadow This will display the content of the /etc/shadow file. FIXES: No fixes are available yet. Sun has been contacted on 6th of February, but we have received no response from them. JOB OFFERS: The Relay Group is seeking security enthusiasts with a vast experience in intrusion testing, firewall/IDS configuration and other security-related fields. For more information, please visit: http://relaygroup.com/secjobs.html ___________________________________________________________ S.A.F.E.R. - Security Alert For Entreprise Resources Copyright (c) 2000 The Relay Group http://www.safermag.com ---- security@relaygroup.com -- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org