<<< Date Index >>>     <<< Thread Index >>>

[SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities




SIG^2 Vulnerability Research Advisory

RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

by Tan Chew Keong
Release Date: 01 Mar 2005


ADVISORY URL
http://www.security.org.sg/vuln/raidenhttpd1132.html


SUMMARY

RaidenHTTPD Server (http://www.raidenhttpd.com/en/index.html) is a full 
featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms. 
It is easy to use and install, and is designed for anyone who wants to have a 
website running within minutes. A CGI source code disclosure vulnerability was 
found in RaidenHTTPD that may be exploited to obtain the source code of any PHP 
scripts on the server. A buffer overflow vulnerability was also found that may 
be remotely exploited to cause DoS and allows arbitrary code execution.

 
TESTED SYSTEM

RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.

 
DETAILS

This advisory documents two vulnerabilities found in RaidenHTTPD server. The 
first vulnerability may be remotely exploited to obtain the source code of any 
PHP scripts on the server. The second is a buffer overflow vulnerability that 
may be remotely exploited to cause DoS or to execute arbitrary code on the 
server.


1. CGI source code disclosure vulnerabliity.

RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The default 
installation comes with PHP installed. Using a specially crafted URL, it is 
possible to obtain the source code of any PHP scripts on the server. 


2. Buffer overflow when processing HTTP requests with long URI.

A buffer overflow condition occurs when RaidenHTTPD receives an URI with more 
than 524 characters in the URI. Successful exploitation allows code execution 
with LOCAL SYSTEM privilege.



PATCH

Vendor has released version 1.1.34 that fixes these vulnerabilities.

 
DISCLOSURE TIMELINE

20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 is 
released.
01 Mar 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."