SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Savant (web server) Vendors:   Lamont, Michael
Savant Web Server Can Be Crashed Remotely With Certain HTTP Requests
SecurityTracker Alert ID:  1001248
SecurityTracker URL:  http://securitytracker.com/id/1001248
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 6 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   It was reported that the Savant web server contains a vulnerability that allows a remote user to send a special HTTP request to the server to cause the web server process to crash.

Apparently, the timing of the HTTP request is significant. If an HTTP request of the following format is sent:

GET / HTTP/1.1
Host:AAAAAAAAAAAAAAAAAAAA.....

(where A is 260 characters), then approximately 3 seconds elapse, then a carriage return is sent, the server application will reportedly crash. The server application will not issue any messages in the error log. On Windows 98, it will indicate that there was "an invalid page fault in module KERNEL32.DLL."

Impact:   A remote user can cause the server application to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  savant.sourceforge.com (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Savant 3.0 Denial Of Service


Not exactly sure what the problem is because it will 
handle the same request from a program that does 
the same thing.
"Time is a factor" so pay attention man ;P
Connect to the server using telnet or somthing and 
type in the following:

GET / HTTP/1.1
Host:AAAAAAAAAAAAAAAAAAAA.....

Where A x 260, hit return, wait 3 seconds, hit return 
again and you should see it crash.I tested this locally 
and remotely on both Windows98 and NT-4
Oh yeah, no error messages are given on NT for 
some reason, the program simply terminates, yes, 
no more connections, got that? the following was 
displayed on Windows 98.If you do not give it the 
time, it doesn't work, got that okay?
So dont come saying "I threw so many characters at 
it and nothing happened" do as i say, and it will work.

SAVANT caused an invalid page fault in
module KERNEL32.DLL at 015f:bff87eb5.
Registers:
EAX=c00300f0 CS=015f EIP=bff87eb5 
EFLGS=00010212
EBX=011bff88 SS=0167 ESP=010bffec 
EBP=010c0058
ECX=10020c01 DS=0167 ESI=8163c414 FS=41af
EDX=bff76859 ES=0167 EDI=010c0238 GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75 
Stack dump:


Sending the same request using a perl script didn't 
seem to affect the server at all, which is why i cant 
tell whats wrong.But who cares? *shrug*

----------------------------------------------------------------

cut....
BTW Moderator, because you have been told that 
maybe the Lansuite DoS against version 1.0.34 
doesn't work can i tell you that it is still effective 
against the latest 1.0.35 and is effective locally aswell 
as remotely on both windows 98 and NT-4 as i have 
tested.I have drwatson logs to prove it.
The trick in the problem is the forward slash before 
HTTP/1.1 like %2fHTTP/1.1 - Get me sir?
So update your database please, people depend on 
it, even the developers!!!


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC