SecurityTracker.com Archives - MyServer 'cgi-lib.dll' Buffer Overflow Permits Remote Code Execution

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > myServer (myserverweb.sourceforge.net)

Vendors: myserverweb.sourceforge.net

MyServer 'cgi-lib.dll' Buffer Overflow Permits Remote Code Execution

SecurityTracker Alert ID: 1007693

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Sep 13 2003

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 0.4.3 and prior versions

Description: A buffer overflow vulnerability was reported in MyServer. A remote user can execute arbitrary code with the privileges of the target MyServer process.

Moozatech reported that the 'cgi-lib.dll' MSCGI library does not properly process long URL variables. A remote user can reportedly submit a specially crafted HTTP request to trigger a buffer overflow and execute arbitrary code.

A demonstration exploit request is provided:

GET /cgi-bin/math_sum.mscgi?a=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1

Impact: A remote user can execute arbitrary code with the privileges of the MyServer process.

Solution: The vendor has released a fix, available via CVS at:

http://myserverweb.sourceforge.net/cvs.php

A patch is reportedly planned for the next release of the software.

Vendor URL: myserverweb.sourceforge.net/forum/portal.php (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "Moran" <moran@moozatech.com>

Message History: None.

Source Message Contents

Date: Fri, 12 Sep 2003 06:58:29 -0700
From: "Moran" <moran@moozatech.com>
Subject: Moozatech: MyServer Buffer Overflow vulnerability

 

------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	charset="windows-1255"
Content-Transfer-Encoding: 8bit

12/09/03

Moozatech Advisory		http://www.moozatech.com/mt-12-09-2003.txt

-------------------------------------------------------

Application: MyServer Web Server
Web Site:    http://myserverweb.sf.net
Versions:    0.4.3 and below
Platform:    Windows98,Windows2000,Linux
Bug:         Buffer Overflow.
Risk:        Remote DOS and unauthorized remote access.
Severity:    High
Fix Available: Yes
-------------------------------------------------------

1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech

===============
1) Introduction
===============

MyServer is a free, powerful web server program designed to be easily run on
a personal
Computer by the average computer user.
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI and
FastCGI protocols.


======
2) Bug
======

a buffer overflow might allow Remote attacker to invoke malicious code by
submitting a request containing excessive data.
That will cause a buffer overflow and might allow to run code of choice
Under the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn’t handle
correctly long
String values for the URI variables.


====================
3) Proof of concept.
====================

nc.exe -v www.victim.com < request.txt

--
The script is attached.
This will crash the program with a memory overflow.


======
4) Fix
======

The author has confirmed this bug and temporary fix is available through
MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of myserver.


==================
5) About Moozatech
==================

Moozatech IT Systems Ltd. (“Moozatech”) is a leading information security
consulting
and project management firm focused on developing
"Secure IT Solutions" which best suit the client's operational needs.
Moozatech devotes time to make a secure computing environment for customers.

-----

Moran Zavdi
Moozatech IT Systems
www.moozatech.com

------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	name="mt-12-09-2003.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="mt-12-09-2003.txt"

12/09/03

Moozatech Advisory		http://www.moozatech.com/mt-12-09-2003.txt	=09

-------------------------------------------------------

Application: MyServer Web Server
Web Site:    http://myserverweb.sf.net
Versions:    0.4.3
Platform:    Windows98,Windows2000,Linux
Bug:         Buffer Overflow.
Risk:        Remote DOS and unauthorized remote access.
Severity:    High
Fix Available: Yes
-------------------------------------------------------

1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1) Introduction
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

MyServer is a free, powerful web server program designed to be easily =
run on a personal=20
Computer by the average computer user.=20
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI =
and FastCGI protocols.=20


=3D=3D=3D=3D=3D=3D
2) Bug
=3D=3D=3D=3D=3D=3D

a buffer overflow might allow Remote attacker to invoke malicious code =
by submitting a request containing excessive data.=20
That will cause a buffer overflow and might allow to run code of choice =
Under the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn=92t handle =
correctly long=20
String values for the URI variables.=20


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
3) Proof of concept.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

nc.exe -v www.victim.com < request.txt
=20
--
The script is attached.
This will crash the program with a memory overflow.


=3D=3D=3D=3D=3D=3D
4) Fix
=3D=3D=3D=3D=3D=3D

The author has confirmed this bug and temporary fix is available through =

MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of =
myserver.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
5) About Moozatech
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Moozatech IT Systems Ltd. (=93Moozatech=94) is a leading information =
security consulting=20
and project management firm focused on developing=20
"Secure IT Solutions" which best suit the client's operational needs.=20
Moozatech devotes time to make a secure computing environment for =
customers.
------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	name="request.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="request.txt"

GET =
/cgi-bin/math_sum.mscgi?a=3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Moozatech (compatible; Moozatech Scanner)
Host: 12.12.12.12
Connection: Keep-Alive


------=_NextPart_000_0004_01C378FB.45718DA0--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC