[30339] in bugtraq
Re: Tornado www-server v1.2: directory traversal, buffer overflow
daemon@ATHENA.MIT.EDU (Berend-Jan Wever)
Tue Jun 3 15:13:28 2003
Message-ID: <000001c328e1$d4ccf3a0$0100a8c0@grotedoos>
From: "Berend-Jan Wever" <SkyLined@edup.tudelft.nl>
To: "D4rkGr3y" <grey_1999@mail.ru>, <bugtraq@security.nnov.ru>,
<bugtraq@securityfocus.com>
Date: Mon, 2 Jun 2003 09:40:22 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I've done a quick debugging session: The overflow does not seem exploitable
other then a DoS.
What happens is that there is not enough heap to hold the long strings so it
writes past the heap to a location where no memory is allocated. This will
cause an unhandled exception.
Kind regards,
Berend-Jan Wever.
----- Original Message -----
From: "D4rkGr3y" <grey_1999@mail.ru>
To: <bugtraq@security.nnov.ru>; <bugtraq@securityfocus.com>
Sent: Friday, May 30, 2003 1:09
Subject: Tornado www-server v1.2: directory traversal, buffer overflow
<snip>
> This server is one BiG problem. IMHO is most dangerous server.
> Main bug in DNA ;D Attacker may see any files in system (but
> only if he know path and filename), may crash server (and exec
> malicious code) by sending long http request. Examples:
>
> www.server.com/../existing_file <-file be showed
>
> www.server.com/aa[more than 471 chars]
> | |
> #--------------------------------------------------------------#
> | Exploit: |
> ~~~~~~~~
>
> Naah, its not interesting. Lets authors code something better.
<snip>
