SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   MyServer (myserverproject.net) Vendors:   myserverproject.net
MyServer 'cgi-lib.dll' Buffer Overflow Permits Remote Code Execution
SecurityTracker Alert ID:  1007693
SecurityTracker URL:  http://securitytracker.com/id/1007693
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 13 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.4.3 and prior versions
Description:   A buffer overflow vulnerability was reported in MyServer. A remote user can execute arbitrary code with the privileges of the target MyServer process.

Moozatech reported that the 'cgi-lib.dll' MSCGI library does not properly process long URL variables. A remote user can reportedly submit a specially crafted HTTP request to trigger a buffer overflow and execute arbitrary code.

A demonstration exploit request is provided:

GET /cgi-bin/math_sum.mscgi?a=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Impact:   A remote user can execute arbitrary code with the privileges of the MyServer process.
Solution:   The vendor has released a fix, available via CVS at:

http://myserverweb.sourceforge.net/cvs.php

A patch is reportedly planned for the next release of the software.
Vendor URL:  myserverweb.sourceforge.net/forum/portal.php (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 12 Sep 2003 06:58:29 -0700
Subject:  Moozatech: MyServer Buffer Overflow vulnerability


------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	charset="windows-1255"
Content-Transfer-Encoding: 8bit

12/09/03

Moozatech Advisory		http://www.moozatech.com/mt-12-09-2003.txt

-------------------------------------------------------

Application: MyServer Web Server
Web Site:    http://myserverweb.sf.net
Versions:    0.4.3 and below
Platform:    Windows98,Windows2000,Linux
Bug:         Buffer Overflow.
Risk:        Remote DOS and unauthorized remote access.
Severity:    High
Fix Available: Yes
-------------------------------------------------------

1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech

===============
1) Introduction
===============

MyServer is a free, powerful web server program designed to be easily run on
a personal
Computer by the average computer user.
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI and
FastCGI protocols.


======
2) Bug
======

a buffer overflow might allow Remote attacker to invoke malicious code by
submitting a request containing excessive data.
That will cause a buffer overflow and might allow to run code of choice
Under the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn’t handle
correctly long
String values for the URI variables.


====================
3) Proof of concept.
====================

nc.exe -v www.victim.com < request.txt

--
The script is attached.
This will crash the program with a memory overflow.


======
4) Fix
======

The author has confirmed this bug and temporary fix is available through
MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of myserver.


==================
5) About Moozatech
==================

Moozatech IT Systems Ltd. (“Moozatech”) is a leading information security
consulting
and project management firm focused on developing
"Secure IT Solutions" which best suit the client's operational needs.
Moozatech devotes time to make a secure computing environment for customers.

-----

Moran Zavdi
Moozatech IT Systems
www.moozatech.com

------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	name="mt-12-09-2003.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="mt-12-09-2003.txt"

12/09/03

Moozatech Advisory		http://www.moozatech.com/mt-12-09-2003.txt	=09

-------------------------------------------------------

Application: MyServer Web Server
Web Site:    http://myserverweb.sf.net
Versions:    0.4.3
Platform:    Windows98,Windows2000,Linux
Bug:         Buffer Overflow.
Risk:        Remote DOS and unauthorized remote access.
Severity:    High
Fix Available: Yes
-------------------------------------------------------

1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1) Introduction
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

MyServer is a free, powerful web server program designed to be easily =
run on a personal=20
Computer by the average computer user.=20
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI =
and FastCGI protocols.=20


=3D=3D=3D=3D=3D=3D
2) Bug
=3D=3D=3D=3D=3D=3D

a buffer overflow might allow Remote attacker to invoke malicious code =
by submitting a request containing excessive data.=20
That will cause a buffer overflow and might allow to run code of choice =
Under the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn=92t handle =
correctly long=20
String values for the URI variables.=20


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
3) Proof of concept.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

nc.exe -v www.victim.com < request.txt
=20
--
The script is attached.
This will crash the program with a memory overflow.


=3D=3D=3D=3D=3D=3D
4) Fix
=3D=3D=3D=3D=3D=3D

The author has confirmed this bug and temporary fix is available through =

MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of =
myserver.


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
5) About Moozatech
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Moozatech IT Systems Ltd. (=93Moozatech=94) is a leading information =
security consulting=20
and project management firm focused on developing=20
"Secure IT Solutions" which best suit the client's operational needs.=20
Moozatech devotes time to make a secure computing environment for =
customers.
------=_NextPart_000_0004_01C378FB.45718DA0
Content-Type: text/plain;
	name="request.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="request.txt"

GET =
/cgi-bin/math_sum.mscgi?a=3DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Moozatech (compatible; Moozatech Scanner)
Host: 12.12.12.12
Connection: Keep-Alive


------=_NextPart_000_0004_01C378FB.45718DA0--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC