SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  tc.SimpleWebServer Vendors:  TelCondex Software
tc.SimpleWebServer Buffer Overflow in Processing the HTTP Referer Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008036
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 29 2003
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.12.30210 Build 3285
Description:  A vulnerability was reported in the TelCondex tc.SimpleWebServer. A remote user can execute arbitrary code on the target server.

It is reported that the software does not properly validate the length of the HTTP Referer field. A remote user can supply a specially crafted value to trigger the overflow and overwrite the stack to execute arbitrary code. The code will run with the privileges of the tc.SimpleWebServer process.

A demonstration exploit transcript is provided:

netcat webserver 80

GET /index.htm HTTP/1.0\r\n
Referer: 700 x [A]\r\n\r\n

According to the report, a user-supplied buffer of 704 bytes will overwrite the return address on the stack.

The vendor was reportedly notified on October 27, 2003 and provided a fix on October 28, 2003.
Impact:  A remote user can execute arbitrary code on the target server with the privileges of the tc.SimpleWebServer process.
Solution:  The vendor has released a fixed version (2.13), available at:

http://www.yourinfosystem.de/download/TcSimpleWebServer2000Setup.exe
Vendor URL:  www.telcondex.de/pub/sws_default.htm (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  "Oliver Karow" <Oliver.Karow@gmx.de>
Message History:   None.

 Source Message Contents
Date:  Wed, 29 Oct 2003 09:49:23 +0100 (MET)
From:  "Oliver Karow" <Oliver.Karow@gmx.de>
Subject:  TelCondex SimpleWebserver Buffer Overflow

 

TelCondex SimpleWebserver Buffer Overflow
=========================================

The TelCondex SimpleWebserver 2.12.30210 Build 3285 is vulnerable to a 
remote executable buffer overflow, due to missing length check on the 
referer-variable of the HTTP-header.

It is possible to overwrite the stack, and therefore to execute 
arbitrary code on the system. 

The vuln can be tested with netcat or telnet:

netcat webserver 80

GET /index.htm HTTP/1.0\r\n
Referer: 700 x [A]\r\n\r\n

The Webserver crashes at >= 700 bytes. A buffer of 704 bytes will overwrite 
the return address on the stack.

The vendor was informed about the vuln on Mon. 27.10.03, and respondet
on Tue. 28.10.03 with a fixed version!

The new (fixed) version (2.13) is available at:

http://www.yourinfosystem.de/download/TcSimpleWebServer2000Setup.exe


Regards,

Oliver Karow

email: oliver.karow_AT_gmx.de
web:   www.oliverkarow.de

-- 
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService

Jetzt kostenlos anmelden unter http://www.gmx.net

+++ GMX - die erste Adresse für Mail, Message, More! +++


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC