TITLE: Red Hat Directory Server / Certificate Server Buffer Overflow SECUNIA ADVISORY ID: SA18590 VERIFY ADVISORY: http://secunia.com/advisories/18590/ CRITICAL: Moderately critical IMPACT: Privilege escalation, System access WHERE: >From local network SOFTWARE: Netscape Directory Server 4.x http://secunia.com/product/3318/ Netscape Certificate Management System 4.x http://secunia.com/product/3832/ Netscape Directory Server 6.x http://secunia.com/product/3841/ Red Hat Certificate System 7.x http://secunia.com/product/7017/ Red Hat Directory Server 7.x http://secunia.com/product/7016/ DESCRIPTION: Peter Winter-Smith of NGSSoftware has reported a vulnerability in Red Hat Directory Server and Red Hat Certificate System, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error related to the Help buttons available in the Admin pages of the Management Console. This can be exploited to cause a stack-based buffer overflow by connecting to the Management Console and sending a specially crafted request. According to the vendor, it is not possible to exploit the vulnerability remotely on Unix systems. However, it is exploitable by local users to gain root privileges. The vulnerability has been reported in Red Hat Directory Server 7.1, Red Hat Certificate System 7.1, and prior Netscape releases of these products. SOLUTION: The vendor has fixed the vulnerability in Red Hat Directory Server 7.1 SP1, which is available via Red Hat Network. The vulnerability is also addressed in Red Hat Certificate System 7.1 SP1, which will be available in early 2006. The vendor recommends removing the "help.cgi" file in the meantime. PROVIDED AND/OR DISCOVERED BY: Peter Winter-Smith of NGSSoftware ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------