[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    NetCache/NetApp Release 3.4
From:       Michal Zalewski <lcamtuf () DIONE ! IDS ! PL>
Date:       2000-03-30 8:16:08
[Download RAW message or body]

NetCache by Network Appliance (www.netapp.com) is one of the most popular
heavy-duty commercial proxy/cache application. In fact, it's rather poorly
written. We can't see the source code, but, some side effects instead.
There's a lot of them, but I'll try to focus on something called 'internal
requests' - requests that access proxy itself and are handled specially.

For example, by connecting to proxy server and sending 'GET
http://proxy_server_itself:8080/disk_objects/help', we'll (usually) get
error message with this URL and a few stupid characters appended at the
end of it. It won't happen if you specify anything after 'help' - so I
believe it's something like broken sscanf() used to determine which help
object user wants. But that's not the point. Try appending slash and
approx 10k of 'A' letters to our request. In case of any other request
treated as 'external', it might result only in error message. But in this
case, with something around 9850 characters, our connection to proxy
server is immediately dropped... sounds familiar? I believe it's an
overflow.

Another way to access it (urm, I mean, cause crash) is something like:
'GET disk_object://xx/AAAAA...'. Btw. I'm wondering there's anything
interesting available to download this way? There are some pictures,
disk_object://xx/help/graphics/help.gif and so on, but I haven't access to
NetCache box to check what else is inside... Aaaah, almost forgotten! Any
file within disk_object hierarchy might be downloaded as-is by appending
'/' to URL - for example, 'disk_object://xx/help/graphics/help.gif/' will
return text/plain dump of this GIF. This means, NetCache fails to classify
this file, so if there's any script or other special object, it won't be
recognized as something 'special'?

--

Just to make everything clear - I haven't shell access to running NetCache
box, so I cannot verify I'm absolutely right - eg. if there's anything
interesting within disk_objects or what extactly happens, but I think
there's absolutely something wrong, and there's no excuse for poor, even
commercial, code.

#include <stddiscl.h> // Standard Disclaimer applies

_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

[prev in list] [next in list] [prev in thread] [next in thread]