SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Surfboard httpd Vendors:   surfd.sourceforge.net
Surfboard httpd Buffer Overflow May Allow a Remote User to Execute Arbitrary Code
SecurityTracker Alert ID:  1008549
SecurityTracker URL:  http://securitytracker.com/id/1008549
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 26 2003
Original Entry Date:  Dec 26 2003
Impact:   Denial of service via network, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.1.9
Description:   d3ck4 reported a buffer overflow vulnerability in the Surfboard httpd web server. A remote user may be able to execute arbitrary code (but that was not confirmed in the report).

It is reported that a remote user can request a specially crafted URL with more than 1024 characters to trigger a buffer overflow, overwriting the EDI register.

A demonstration exploit HTTP GET request is provided:

GET /AAAAAAAAAAAA..x1024++ HTTP/1.1\r\n\r\n
Impact:   A remote user may be able to cause the target service to crash. A remote user may be able to execute arbitrary code on the target system. [Editor's note: The report did not confirm the specific impact of this buffer overflow.]
Solution:   No solution was available at the time of this entry.
Vendor URL:  surfd.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Subject:  surfboard 1.1.9 and maybe all version contain remote buffer overflow



#######################################################################

(c) d3ck4

Application:  Surfboard webserver
               http://surfd.sourceforge.net
Versions:     All
Platforms:    *nix
Bugs:         Boundary Condition Error
Risk:         medium/high
Date:         25 Dec 2003
Author:       d3ck4
               e-mail: decka_trash@yahoo.com



#######################################################################

1) Introduction
2) Bug
3) Proof of Concept



#######################################################################

===============
1) Introduction
===============


>From the website:
"Surfboard is a trivial web server, written by
Meredydd Luff."



#######################################################################

=======
2) Bugs
=======


When a long crafted index file with more than 1024
characters requested will cause an overflow and
overwrite the EDI register. Im not sure this may allow
an remote attacker to executing an arbitary code and
gain control on the target system with default
uid=99(nobody) gid=99(nobody) privileges.



#######################################################################

================
Proof of concept
================

Telnet or netcat to the target surfboard http server
and port specified in the system config file and
request:

GET /AAAAAAAAAAAA..x1024++ HTTP/1.1\r\n\r\n

This will cause EDI register overwrite with 0x41414141
which stand for 'A'.



#######################################################################


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC