4627859 1999-12-31  19:20  /126 rader/ Postmaster
Mottagare: Bugtraq (import) <9110>
Ärende: Local / Remote GET Buffer Overflow Vulnerability in Analog 
------------------------------------------------------------
             SimpleServer:WWW HTTP Server v1.1
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Message-ID:  <NCBBKFKDOLAGKIAPMILPAEPECBAA.labs@ussrback.com>
Date:         Fri, 31 Dec 1999 05:22:38 -0300
Reply-To: Ussr Labs <labs@USSRBACK.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Ussr Labs <labs@USSRBACK.COM>
X-To:         BUGTRAQ <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Happy New Year! to All!!


Local / Remote GET Buffer Overflow Vulnerability in AnalogX
SimpleServer:WWW HTTP Server v1.1

USSR Advisory Code:   USSR-99029

Release Date:
December 31, 1999 [5/5] (not the original one), original [5/5] will
be released 15/01/1900 :)

Systems Affected:
AnalogX SimpleServer:WWW HTTP Server v1.1 for Win9x and possibly
others versions.

About The Software:
Introducing AnalogX SimpleServer:WWW, the first in a series of simple
to use yet
powerful servers! This webserver is SO easy to use, about the only
thing you need
to know how to do is drag and drop files; then just click on the
'Start' button, and
you're webserver is up and running, serving your pages to the world!
SimpleServer:WWW supports MIME file typing, CGI, common log format,
and multi-hosting, just to name a few! If you've always wanted a
compact,
easy to use, versatile webserver, then you're prayers have been
answered.

THE PROBLEM

UssrLabs found a Local / Remote Buffer overflow, The code that
handles GET commands
has an unchecked buffer that will allow arbitrary code to be executed
if it is overflowed.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another
contribution
to w00giving for all you w00nderful people out there. You do know
what
w00giving is don't you? http://www.w00w00.org/advisories.html

Example
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 <enter><enter>

Where [buffer] is aprox. 1000 characters. At his point the server
overflows.

And in remote machine someone will be see something like this.

HTTP caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246
EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080
ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47
EDX=bff76855 ES=0187 EDI=00af012c GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855
00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104
41414141 00af02f0

Binary or source for this Exploit (wen we finish it):

http://www.ussrback.com/

Vendor Status:
Informed.

Vendor   Url:  http://www.analogx.com/
Program Url:
http://www.analogx.com/contents/download/network/sswww.htm

Credit: USSRLABS

SOLUTION
 Noting yet.

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Brock
Tellier, Technotronic and
Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOGxnytybEYfHhkiVEQJK5wCgmaLVBV+HgxkGsohLqg4KACZ7GjoAn1Ia
80kx+RvCDy/TwvA/8/krjvME
=H+Dr
-----END PGP SIGNATURE-----
(4627859) ------------------------------------------