Abyss Web Server Heap Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1007087|
SecurityTracker URL: http://securitytracker.com/id/1007087
(Links to External Site)
Date: Jun 30 2003
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Two vulnerabilities were reported in the Abyss Web Server X1. A buffer overflow permits remote code execution. An input validation flaw permits cross-site scripting attacks.|
The Hackademy Audit team reported that a remote user can supply a specially crafted HTTP GET request to trigger a heap buffer overflow. A demonstration exploit URL is provided:
GET /AAAAAA[...]AAAA:\ HTTP/1.0
This overflow can be exploited by a remote user to execute arbitrary code with the privileges of the web server.
An input validation vulnerability was also reported. A remote user can insert encoded carriage return, line feed, and space characters in the HTTP 'Location' header field. The server's '302' HTTP error code page reportedly displays the user-supplied 'Location' field. This reportedly permits remote cross-site scripting attacks.
A remote user can cause arbitrary code to be executed on the target server with the privileges of the web server process.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Abyss Web Server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has released a fixed version (1.1.6 beta). Contact the vendor to obtain the beta version.|
The authors of the report note that they did not confirm through testing whether the new version is actually fixed or not, but that the vendor has credited the authors in the 1.1.6 beta release.
Vendor URL: www.aprelium.com/abyssws/index.html (Links to External Site)
Boundary error, Input validation error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: [Full-Disclosure] Aprelium Abyss webserver X1 arbitrary code execution and header|
--[ Description ]--
Abyss Web Server is a free, closed-source, personal web server
for Windows and Linux operating systems.
Homepage : http://www.aprelium.com
The Hackademy Audit team has found two remote security holes in
Abyss Webserver X1, allowing arbitrary code execution and header
--[ Details ]--
1/ Remotely exploitable heap buffer overflow.
A buffer of length 0x800 is allocated on the heap. An unchecked call to
strcpy() can overflow this buffer with a string of almost arbitrary
length and content which is given by a malicious attacker.
The request leading to the overflow is the following. The important part
is the two characters ":\" at the end of the requested URL :
GET /AAAAAA[...]AAAA:\ HTTP/1.0
Arbitrary code can be executed on the machine running Abyss
Webserver X1 with the priviledges of the user running the server.
This issue is not theoretical : we wrote a functional exploit, without
need for offset guessing or brute forcing, which works on Windows 2000
and XP (any SP).
2/ Header injection vulnerability.
With the same type of request a 302 HTTP code is returned by Abyss X1.
The Location header sent by the server contains the URL initially
requested, but with %xx decoded to ASCII values. Embedding %0D, %0A, and
%20 codes into the URL is allowed, meaning HTTP headers can be added.
This can lead to XSS issues, setting arbitrary cookies, etc.
--[ Vulnerable/Patched Versions ]--
Version 1.1.2 (and probably lower versions) are vulnerable.
Version 1.1.6 beta gives Special Thanks to our bug reporting, so it should be
it is unclear whether version 1.1.4 has all these bugs or only one of them. Although
the heap overflow can't be triggered by the method we mention here, Aprelium did
not confirmed that is was fixed in this version, and we did not investigate the issue
further on this version.
--[ Greetings ]--
Many thanks to Daniel Dupard for running a Win2k hacking contest with
Abyss Webserver. I completed the first part of the challenge (executing
arbitrary code on the machine) by writing an exploit for the heap overflow
The Hackademy School, Journal & Audit
PS : hoping this advisory will not be bounced again and again on the list like the
previous one. Fix your Microsoft mail agents please ;-)
Full-Disclosure - We believe in it.