SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   AdvServer Vendors:   GameCheats.ws
AdvServer Web Server Can Be Crashed By Remote Users Sending a Single CR/LF Sequence
SecurityTracker Alert ID:  1004611
SecurityTracker URL:  http://securitytracker.com/id/1004611
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 22 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.030000
Description:   A vulnerability has been reported in the AdvServer web server from GameCheats.ws. A remote user can cause the server to crash.

elab reported a remote user can connect to AdvServer and send a single CRLF sequence to cause a page fault in advserver.exe. If this is repeated (approximately 100 times), the web service will stop accepting new connections.

According to the report, a remote user can send various other strings that do not conform to the HTTP specification to cause the server to crash.

Impact:   A remote user can cause the web service to crash.
Solution:   No solution was available at the time of this entry.

The vendor reportedly plans to release a fixed version (1.04), to be available at:

http://gamecheats.ws/downloads/advserver.zip

Vendor URL:  www.gamecheats.ws/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  AdvServer DoS


------=_NextPart_000_01BC2B74.89D1CCC0
Content-type: text/plain; charset=US-ASCII


 Title:	AdvServer DoS
 Date:	21.06.02
 Author:	elab (http://elaboration.8bit.co.uk)
 Software:	AdvServer
 Platform:	Win32
 Tested:	Version 1.030000
 Vendor: 	WWW:		http://gamecheats.ws
 	Contacted on:	30 May 02
 	Via:		tassadar@mail.com && website
	Response:	Within 2 days

 
 WARNING:	This advisory has NOTHING to do with the Microsoft webserver of
 		a similar name.



 Summary:	
		From vendor's website (http://gamecheats.ws):

			"AdvServer is all you need for your web hosting
			needs, if you want a fast ,reliable ,and robust
			http web server then AdvServer is perfect for
			you. AdvServer Multithreading system allows
			you to handle insane amounts of web traffic.
			Smart PreCache system that loads frequently
			used files in to memory ,allowing for lightning fast
			server responces. Custom Api system so you
			are able to create library modules that increase
			the functionality of your website. AdvServer fully
			supports CGI applications such as Perl or PHP.
			Best of all AdvServer setup screen makes
			customization a breeze. Download AdvServer
			Today its free!"
 
		A DoS condition exists in AdvServer which can render the server
		unresponsive to further connections.

 Details:
 		Connecting to AdvServer and sending a single CRLF sequence
		causes a page fault in advserver.exe.  At this point the
		server still accepts new connections.  If this action is
		repeated around another 100 times the server stops accepting new
		connections.

		The version tested and found to be vulnerable was 1.030000.

		The platform tested on was Microsoft Windows 98SE.

 History:
 		Searches at securityfocus archives revealed no previous postings
		about this product yet a google search shows multiple download
		locations.

 Vendor:
 		Vendor was contacted on 30 May 02 via email and website.
		Initial response was:

		"your the first person with this problem that has contacted
		 me, but im currently working on another project sorry".
		
 		On 08.06.02 vendor was sent a copy of this advisory, packet
		dumps of the DoS as well as PoC code and two weeks to respond
		with a reasonable schedule for a fix before this information 
		would be made public.

		After further emails vendor stated:

		"the parsing module is being rebuilt, by june 17, 2002 version 
		 1.04 will have the new module fix"

 		As of release date no fixed version is available from vendor's
		website and vendor has become unresponsive to further attempts
		at communication.
		
		Also CC'ed a copy of this advisory.
		
 Workaround:
 		Use a non-development stage web server for your hosting.
		
 Notes:	
		In tests it took exactly 96 sockets and CRLF writes to crash
		the server (46 if you do it through localhost).  The sockets
		did not need to be kept open and were sequential as opposed to
		parallel.

		It seems that various non HTTP conformant data can crash the 
		server - a single CRLF per connection just seemed easiest.

		This advisory is also available from:
		http://elaboration.8bit.co.uk/projects/texts/advisories/AdvServer.DoS.txt
		
 	






_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com

------=_NextPart_000_01BC2B74.89D1CCC0
Content-Type: text/plain; name="ACF1848.txt"
Content-Transfer-Encoding: base64
Content-Description: ACF1848.txt
Content-Disposition: attachment; filename="ACF1848.txt"

DQogVGl0bGU6CQlBZHZTZXJ2ZXIgRG9TDQogRGF0ZToJCTIxLjA2LjAyDQogQXV0aG9yOgllbGFi
IChodHRwOi8vZWxhYm9yYXRpb24uOGJpdC5jby51aykNCiBTb2Z0d2FyZToJQWR2U2VydmVyDQog
UGxhdGZvcm06CVdpbjMyDQogVGVzdGVkOglWZXJzaW9uIDEuMDMwMDAwDQogVmVuZG9yOiAJV1dX
OgkJaHR0cDovL2dhbWVjaGVhdHMud3MNCiAJCUNvbnRhY3RlZCBvbjoJMzAgTWF5IDAyDQogCQlW
aWE6CQl0YXNzYWRhckBtYWlsLmNvbSAmJiB3ZWJzaXRlDQoJCVJlc3BvbnNlOglXaXRoaW4gMiBk
YXlzDQoNCiANCiBXQVJOSU5HOglUaGlzIGFkdmlzb3J5IGhhcyBOT1RISU5HIHRvIGRvIHdpdGgg
dGhlIE1pY3Jvc29mdCB3ZWJzZXJ2ZXIgb2YNCiAJCWEgc2ltaWxhciBuYW1lLg0KDQoNCg0KIFN1
bW1hcnk6CQ0KCQlGcm9tIHZlbmRvcidzIHdlYnNpdGUgKGh0dHA6Ly9nYW1lY2hlYXRzLndzKToN
Cg0KCQkJIkFkdlNlcnZlciBpcyBhbGwgeW91IG5lZWQgZm9yIHlvdXIgd2ViIGhvc3RpbmcNCgkJ
CW5lZWRzLCBpZiB5b3Ugd2FudCBhIGZhc3QgLHJlbGlhYmxlICxhbmQgcm9idXN0DQoJCQlodHRw
IHdlYiBzZXJ2ZXIgdGhlbiBBZHZTZXJ2ZXIgaXMgcGVyZmVjdCBmb3INCgkJCXlvdS4gQWR2U2Vy
dmVyIE11bHRpdGhyZWFkaW5nIHN5c3RlbSBhbGxvd3MNCgkJCXlvdSB0byBoYW5kbGUgaW5zYW5l
IGFtb3VudHMgb2Ygd2ViIHRyYWZmaWMuDQoJCQlTbWFydCBQcmVDYWNoZSBzeXN0ZW0gdGhhdCBs
b2FkcyBmcmVxdWVudGx5DQoJCQl1c2VkIGZpbGVzIGluIHRvIG1lbW9yeSAsYWxsb3dpbmcgZm9y
IGxpZ2h0bmluZyBmYXN0DQoJCQlzZXJ2ZXIgcmVzcG9uY2VzLiBDdXN0b20gQXBpIHN5c3RlbSBz
byB5b3UNCgkJCWFyZSBhYmxlIHRvIGNyZWF0ZSBsaWJyYXJ5IG1vZHVsZXMgdGhhdCBpbmNyZWFz
ZQ0KCQkJdGhlIGZ1bmN0aW9uYWxpdHkgb2YgeW91ciB3ZWJzaXRlLiBBZHZTZXJ2ZXIgZnVsbHkN
CgkJCXN1cHBvcnRzIENHSSBhcHBsaWNhdGlvbnMgc3VjaCBhcyBQZXJsIG9yIFBIUC4NCgkJCUJl
c3Qgb2YgYWxsIEFkdlNlcnZlciBzZXR1cCBzY3JlZW4gbWFrZXMNCgkJCWN1c3RvbWl6YXRpb24g
YSBicmVlemUuIERvd25sb2FkIEFkdlNlcnZlcg0KCQkJVG9kYXkgaXRzIGZyZWUhIg0KIA0KCQlB
IERvUyBjb25kaXRpb24gZXhpc3RzIGluIEFkdlNlcnZlciB3aGljaCBjYW4gcmVuZGVyIHRoZSBz
ZXJ2ZXINCgkJdW5yZXNwb25zaXZlIHRvIGZ1cnRoZXIgY29ubmVjdGlvbnMuDQoNCiBEZXRhaWxz
Og0KIAkJQ29ubmVjdGluZyB0byBBZHZTZXJ2ZXIgYW5kIHNlbmRpbmcgYSBzaW5nbGUgQ1JMRiBz
ZXF1ZW5jZQ0KCQljYXVzZXMgYSBwYWdlIGZhdWx0IGluIGFkdnNlcnZlci5leGUuICBBdCB0aGlz
IHBvaW50IHRoZQ0KCQlzZXJ2ZXIgc3RpbGwgYWNjZXB0cyBuZXcgY29ubmVjdGlvbnMuICBJZiB0
aGlzIGFjdGlvbiBpcw0KCQlyZXBlYXRlZCBhcm91bmQgYW5vdGhlciAxMDAgdGltZXMgdGhlIHNl
cnZlciBzdG9wcyBhY2NlcHRpbmcgbmV3DQoJCWNvbm5lY3Rpb25zLg0KDQoJCVRoZSB2ZXJzaW9u
IHRlc3RlZCBhbmQgZm91bmQgdG8gYmUgdnVsbmVyYWJsZSB3YXMgMS4wMzAwMDAuDQoNCgkJVGhl
IHBsYXRmb3JtIHRlc3RlZCBvbiB3YXMgTWljcm9zb2Z0IFdpbmRvd3MgOThTRS4NCg0KIEhpc3Rv
cnk6DQogCQlTZWFyY2hlcyBhdCBzZWN1cml0eWZvY3VzIGFyY2hpdmVzIHJldmVhbGVkIG5vIHBy
ZXZpb3VzIHBvc3RpbmdzDQoJCWFib3V0IHRoaXMgcHJvZHVjdCB5ZXQgYSBnb29nbGUgc2VhcmNo
IHNob3dzIG11bHRpcGxlIGRvd25sb2FkDQoJCWxvY2F0aW9ucy4NCg0KIFZlbmRvcjoNCiAJCVZl
bmRvciB3YXMgY29udGFjdGVkIG9uIDMwIE1heSAwMiB2aWEgZW1haWwgYW5kIHdlYnNpdGUuDQoJ
CUluaXRpYWwgcmVzcG9uc2Ugd2FzOg0KDQoJCSJ5b3VyIHRoZSBmaXJzdCBwZXJzb24gd2l0aCB0
aGlzIHByb2JsZW0gdGhhdCBoYXMgY29udGFjdGVkDQoJCSBtZSwgYnV0IGltIGN1cnJlbnRseSB3
b3JraW5nIG9uIGFub3RoZXIgcHJvamVjdCBzb3JyeSIuDQoJCQ0KIAkJT24gMDguMDYuMDIgdmVu
ZG9yIHdhcyBzZW50IGEgY29weSBvZiB0aGlzIGFkdmlzb3J5LCBwYWNrZXQNCgkJZHVtcHMgb2Yg
dGhlIERvUyBhcyB3ZWxsIGFzIFBvQyBjb2RlIGFuZCB0d28gd2Vla3MgdG8gcmVzcG9uZA0KCQl3
aXRoIGEgcmVhc29uYWJsZSBzY2hlZHVsZSBmb3IgYSBmaXggYmVmb3JlIHRoaXMgaW5mb3JtYXRp
b24gDQoJCXdvdWxkIGJlIG1hZGUgcHVibGljLg0KDQoJCUFmdGVyIGZ1cnRoZXIgZW1haWxzIHZl
bmRvciBzdGF0ZWQ6DQoNCgkJInRoZSBwYXJzaW5nIG1vZHVsZSBpcyBiZWluZyByZWJ1aWx0LCBi
eSBqdW5lIDE3LCAyMDAyIHZlcnNpb24gDQoJCSAxLjA0IHdpbGwgaGF2ZSB0aGUgbmV3IG1vZHVs
ZSBmaXgiDQoNCiAJCUFzIG9mIHJlbGVhc2UgZGF0ZSBubyBmaXhlZCB2ZXJzaW9uIGlzIGF2YWls
YWJsZSBmcm9tIHZlbmRvcidzDQoJCXdlYnNpdGUgYW5kIHZlbmRvciBoYXMgYmVjb21lIHVucmVz
cG9uc2l2ZSB0byBmdXJ0aGVyIGF0dGVtcHRzDQoJCWF0IGNvbW11bmljYXRpb24uDQoJCQ0KCQlB
bHNvIENDJ2VkIGEgY29weSBvZiB0aGlzIGFkdmlzb3J5Lg0KCQkNCiBXb3JrYXJvdW5kOg0KIAkJ
VXNlIGEgbm9uLWRldmVsb3BtZW50IHN0YWdlIHdlYiBzZXJ2ZXIgZm9yIHlvdXIgaG9zdGluZy4N
CgkJDQogTm90ZXM6CQ0KCQlJbiB0ZXN0cyBpdCB0b29rIGV4YWN0bHkgOTYgc29ja2V0cyBhbmQg
Q1JMRiB3cml0ZXMgdG8gY3Jhc2gNCgkJdGhlIHNlcnZlciAoNDYgaWYgeW91IGRvIGl0IHRocm91
Z2ggbG9jYWxob3N0KS4gIFRoZSBzb2NrZXRzDQoJCWRpZCBub3QgbmVlZCB0byBiZSBrZXB0IG9w
ZW4gYW5kIHdlcmUgc2VxdWVudGlhbCBhcyBvcHBvc2VkIHRvDQoJCXBhcmFsbGVsLg0KDQoJCUl0
IHNlZW1zIHRoYXQgdmFyaW91cyBub24gSFRUUCBjb25mb3JtYW50IGRhdGEgY2FuIGNyYXNoIHRo
ZSANCgkJc2VydmVyIC0gYSBzaW5nbGUgQ1JMRiBwZXIgY29ubmVjdGlvbiBqdXN0IHNlZW1lZCBl
YXNpZXN0Lg0KDQoJCVRoaXMgYWR2aXNvcnkgaXMgYWxzbyBhdmFpbGFibGUgZnJvbToNCg0KCQlo
dHRwOi8vZWxhYm9yYXRpb24uOGJpdC5jby51ay9wcm9qZWN0cy90ZXh0cy9hZHZpc29yaWVzL0Fk
dlNlcnZlci5Eb1MudHh0DQoJCQ0KIAkNCg0KDQoNCg0K
------=_NextPart_000_01BC2B74.89D1CCC0--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC