NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2007-09

Re: [Full-disclosure] [fuzzing] Vulnerable test application: Simple Web Server (SWS)

From: Ari Takanen (ari.takanencodenomicon.com)
Date: Fri Sep 14 2007 - 14:37:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks Gadi,

Good stuff. Only problem we are having with it that it keeps crashing
even with all the vulnerabilities disabled in the GUI. This makes
verifying the findings a bit harder. :)

E.g. disable all vulnerabilities in the GUI and try sending this
through netcat to SWS and voila!

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Content-Length: -1
Host: www.example.com:80
User-Agent: Mozilla/4.0 (compatible; Codenomicon HTTP Server Test Tool; Windows NT 5.1; 11549; http11-content-length-v-int)

Best regards,

Ari Takanen & Jari Tauriainen (who did the dirty testing work)

PS. "This web server MUST NEVER BE USED ON THE INTERNET" - couldn't agree
more, even with all the intended vulnerabilities disabled. ;)

PPS. Seriously, Good Work! We need more neutral non-critical test
targets like this. ;)

On Mon, Sep 10, 2007 at 12:00:02PM -0500, fuzzing-requestwhitestar.linuxbox.org wrote:
> Date: Mon, 10 Sep 2007 01:06:29 -0500 (CDT)
> From: Gadi Evron <gelinuxbox.org>
>
> Every once in a while (last time a few months ago) someone emails one of
> the mailing lists about searching for an example binary, mostly for:
>
> - Reverse engineering for vulnerabilities, as a study tool.
> - Testing fuzzers
>
> Some of these exist, but I asked my employer, Beyond Security, to release
> our test application, specific for testing fuzzing (built for the beSTORM
> fuzzer). They agreed to release the HTTP version, following their
> agreement to release our ANI XML specification.
>
> The GUI allows you to choose what port your want to run it on, as well as
> which vulnerabilities should be "active".
>
> It is called Simple Web Server or SWS, and has the following
> vulnerabilities:
>
> 1. Off-By-One in Content-Length (Integer overflow/malloc issue)
> 2. Overflow in User-Agent
> 3. Overflow in Method
> 4. Overflow in URI
> 5. Overflow in Host
> 6. Overflow in Version
> 7. Overflow in complete packet
> 8. Off By One in Receive function (linefeed/carriage return issue)
> 9. Overflow in Authorization Type
> 10. Overflow in Base64 decoded
> 11. Overflow in Username of authorization
> 12. Overflow in Password of authorization
> 13. Overflow in Body
> 14. Cross site scripting
>
> It can be found on Beyond Security's website, here:
> http://www.beyondsecurity.com/sws_overview.html
>
> Thanks,
>
> Gadi Evron.

--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanencodenomicon.com Tutkijantie 4E
tel: +358-40 50 67678 FIN-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]