Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Rhino Software Serv-U Web Client HTTP Request Remote Buffer Overflow

Subscribe

Check Point Reference: CPAI-2009-245
Date Published:
Preemptive Since:
Severity:
Source: Bugtraq ID: 36895
Industry Reference(s): N/A
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Rhino Software Serv-U 9.0.0.5 and prior
Vulnerability Description
A vulnerability has been reported in Rhino Software Serv-U. The vulnerability is due to a buffer overflow that can occur when Web Client handles HTTP requests containing overly large cookie session values. Remote attackers could exploit this vulnerability by sending a malicious HTTP request to a vulnerable version of the application. Successful exploitation of this vulnerability would result in arbitrary code injection and execution.
Update/Patch Available
No patch or new release that address this vulnerability have been released by the vendor, Rhino Software.
Vulnerability Details
In case if code execution is not successful, the affected application may terminate abnormally.

Protection Overview

By enabling this protection, IPS-1 will detect and block HTTP requests that contain lines exceed a configurable byte-length threshold.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Strict Compliance protection group.
3. Click Long HTTP Line (IPS-1 NGX R65 only).
4. De-select the 'Ignore maximum length for cookies' checkbox.
5. In the configuration pane, under Settings, check Active.
6. Click on Install Policy.

By enabling this protection, IPS-1 will detect and block HTTP requests that contain lines exceed a configurable byte-length threshold.

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Strict Compliance protection group.
3. Click Long HTTP Line (IPS-1 NGX R65 only).
4. Enter a value for 'Maximum length of an HTTP request'.
5. Click on Install Policy.

To configure the threshold:

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: HTTP Compliance
Description: Long HTTP Line