[SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities
SIG^2 Vulnerability Research Advisory
RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities
by Tan Chew Keong
Release Date: 01 Mar 2005
ADVISORY URL
http://www.security.org.sg/vuln/raidenhttpd1132.html
SUMMARY
RaidenHTTPD Server (http://www.raidenhttpd.com/en/index.html) is a full
featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms.
It is easy to use and install, and is designed for anyone who wants to have a
website running within minutes. A CGI source code disclosure vulnerability was
found in RaidenHTTPD that may be exploited to obtain the source code of any PHP
scripts on the server. A buffer overflow vulnerability was also found that may
be remotely exploited to cause DoS and allows arbitrary code execution.
TESTED SYSTEM
RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.
DETAILS
This advisory documents two vulnerabilities found in RaidenHTTPD server. The
first vulnerability may be remotely exploited to obtain the source code of any
PHP scripts on the server. The second is a buffer overflow vulnerability that
may be remotely exploited to cause DoS or to execute arbitrary code on the
server.
1. CGI source code disclosure vulnerabliity.
RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The default
installation comes with PHP installed. Using a specially crafted URL, it is
possible to obtain the source code of any PHP scripts on the server.
2. Buffer overflow when processing HTTP requests with long URI.
A buffer overflow condition occurs when RaidenHTTPD receives an URI with more
than 524 characters in the URI. Successful exploitation allows code execution
with LOCAL SYSTEM privilege.
PATCH
Vendor has released version 1.1.34 that fixes these vulnerabilities.
DISCLOSURE TIMELINE
20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 is
released.
01 Mar 05 - Public Release.
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."