NCSA httpd buffer overflow
Description: | Standard overflow in client request string |
Author: | Renos <renosm@YAHOO.COM> |
Compromise: | You can probably run arbitrary commands on the web server machine, it is trivial to crash the server |
Vulnerable Systems: | Those running NCSA's httpd v1.4 for Windows. Probably earlier versions too. |
Date: | 8 May 1998 |
Date: Fri, 8 May 1998 01:33:26 -0700
From: Renos <renosm@YAHOO.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: NSCA HTTPD (for Windows) bug.
Well, it seems that I found a bug in NCSA's httpd v1.4 (for Windows).
The bug can cause the server to crash. The problem seems to be that
the server has MAX_STRING_LEN defined to 256 characters. So, when a
client's request is larger than 256 characters the server crases.
I tested it on a PC running Windows 3.11, wich I believe are more
stable than Win95, with W32s driver. I TELNETed into the server on
port 80 (using 127.0.0.1 as the IP address). Then using the 'GET'
command I insert more than 256 characters. The server crashed showing
a message asking the user to terminate the program. I haven't try it
yet on other PC, but the problem it's the MAX_STRING_LEN, so it
doesn't make any differents.
The server crashes showing no messages to the clients screen. In the
Access Log files the client's request seems like a normal request nad
Ididn't found anything on Error Log file.I even tested with a Web
Browser calling a file with more than 256 characters and I had the
same results.
Since the server is not for commercial use the bug doesn't seem to be
serious. A fix would be to re-define MAX_STRING_LEN to a much bigger
number. As far as I know the Server Administrator cannot re-define
MAX_STRING_LEN.
Greetings
Renos
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: