NCSA httpd buffer overflow

Summary
Description:Standard overflow in client request string
Author:Renos <renosm@YAHOO.COM>
Compromise:You can probably run arbitrary commands on the web server machine, it is trivial to crash the server
Vulnerable Systems:Those running NCSA's httpd v1.4 for Windows. Probably earlier versions too.
Date:8 May 1998
Details


Date: Fri, 8 May 1998 01:33:26 -0700
From: Renos <renosm@YAHOO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: NSCA HTTPD (for Windows) bug.

Well, it seems that I found a bug in NCSA's httpd v1.4 (for Windows).
The bug can cause the server to crash. The problem seems to be that
the server has MAX_STRING_LEN defined to 256 characters. So, when a
client's request is larger than 256 characters the server crases.
I tested it on a PC running Windows 3.11, wich I believe are more
stable than Win95, with W32s driver. I TELNETed into the server on
port 80 (using 127.0.0.1 as the IP address). Then using the 'GET'
command I insert more than 256 characters. The server crashed showing
a message asking the user to terminate the program. I haven't try it
yet on other PC, but the problem it's the MAX_STRING_LEN, so it
doesn't make any differents.
The server crashes showing no messages to the clients screen. In the
Access Log files the client's request seems like a normal request nad
Ididn't found anything on Error Log file.I even tested with a Web
Browser calling a file with more than 256 characters and I had the
same results.
Since the server is not for commercial use the bug doesn't seem to be
serious. A fix would be to re-define MAX_STRING_LEN to a much bigger
number. As far as I know the Server Administrator cannot re-define
MAX_STRING_LEN.
Greetings
Renos




_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]