Buffer Overflow Condition in Netscape Directory Server

Reported March 7, 2001, by@stake.

VERSIONS AFFECTED

DESCRIPTION

TheNetscape Directory Server that comes with Netscape Messaging Server4.15 Service Pack 3 (SP3) is vulnerable to a buffer overflow condition if amalicious attacker sends a specially crafted query. This overflow conditionresults in either a Denial of Service (DoS) attack or arbitrary execution ofcode on the server. Netscape Directory Server 4.12 is also vulnerable to thesame DoS overflow, but an attacker cannot execute code this way. An intruder connecting to the SMTP service can trigger theoverflow condition by using a mangled recipient name in the RCPT TO: field. Theproblem occurs when the intruder enters excessive quote mark (")characters. After sending a message with the mangled recipient field, the SMTPservice connects to the Netscape Directory Server to run queries; the overflowthen occurs. @stake has made an advisory available at http://www.atstake.com/research/advisories/2001/a030701-1.txtdetailing this vulnerability.

VENDOR RESPONSE 

iPlanetDirectory Server Support recommends an immediate upgrade to NetscapeDirectory Server 4.13 from all versions. For Netscape Messaging Server 4.15users, upgrading to 4.13 and applying Patch 4 is recommended. iPlanet customerscan obtain these updates and patches through normal iPlanet support channels.

CREDIT
Discovered by FrankSwiderski of @stake, Inc.