| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070914193728.GB26493@codenomicon.com> Date: Fri, 14 Sep 2007 22:37:28 +0300 From: Ari Takanen <ari.takanen@...enomicon.com> To: fuzzing@...testar.linuxbox.org Cc: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com Subject: Re: [fuzzing] Vulnerable test application: Simple Web Server (SWS) Thanks Gadi, Good stuff. Only problem we are having with it that it keeps crashing even with all the vulnerabilities disabled in the GUI. This makes verifying the findings a bit harder. :) E.g. disable all vulnerabilities in the GUI and try sending this through netcat to SWS and voila! GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, */* Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: Keep-Alive Content-Length: -1 Host: www.example.com:80 User-Agent: Mozilla/4.0 (compatible; Codenomicon HTTP Server Test Tool; Windows NT 5.1; 11549; http11-content-length-v-int) Best regards, Ari Takanen & Jari Tauriainen (who did the dirty testing work) PS. "This web server MUST NEVER BE USED ON THE INTERNET" - couldn't agree more, even with all the intended vulnerabilities disabled. ;) PPS. Seriously, Good Work! We need more neutral non-critical test targets like this. ;) On Mon, Sep 10, 2007 at 12:00:02PM -0500, fuzzing-request@...testar.linuxbox.org wrote: > Date: Mon, 10 Sep 2007 01:06:29 -0500 (CDT) > From: Gadi Evron <ge@...uxbox.org> > > Every once in a while (last time a few months ago) someone emails one of > the mailing lists about searching for an example binary, mostly for: > > - Reverse engineering for vulnerabilities, as a study tool. > - Testing fuzzers > > Some of these exist, but I asked my employer, Beyond Security, to release > our test application, specific for testing fuzzing (built for the beSTORM > fuzzer). They agreed to release the HTTP version, following their > agreement to release our ANI XML specification. > > The GUI allows you to choose what port your want to run it on, as well as > which vulnerabilities should be "active". > > It is called Simple Web Server or SWS, and has the following > vulnerabilities: > > 1. Off-By-One in Content-Length (Integer overflow/malloc issue) > 2. Overflow in User-Agent > 3. Overflow in Method > 4. Overflow in URI > 5. Overflow in Host > 6. Overflow in Version > 7. Overflow in complete packet > 8. Off By One in Receive function (linefeed/carriage return issue) > 9. Overflow in Authorization Type > 10. Overflow in Base64 decoded > 11. Overflow in Username of authorization > 12. Overflow in Password of authorization > 13. Overflow in Body > 14. Cross site scripting > > It can be found on Beyond Security's website, here: > http://www.beyondsecurity.com/sws_overview.html > > Thanks, > > Gadi Evron. -- -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Ari Takanen Codenomicon Ltd. ari.takanen@...enomicon.com Tutkijantie 4E tel: +358-40 50 67678 FIN-90570 Oulu http://www.codenomicon.com Finland PGP: http://www.codenomicon.com/codenomicon-key.asc -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists