[32209] in bugtraq
TelCondex SimpleWebserver Buffer Overflow
daemon@ATHENA.MIT.EDU (Oliver Karow)
Wed Oct 29 11:57:12 2003
Date: Wed, 29 Oct 2003 09:49:23 +0100 (MET)
From: "Oliver Karow" <Oliver.Karow@gmx.de>
To: bugtraq@securityfocus.com
Cc: horst.haas@TelCondex.de
MIME-Version: 1.0
Message-ID: <5542.1067417363@www19.gmx.net>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
TelCondex SimpleWebserver Buffer Overflow
=========================================
The TelCondex SimpleWebserver 2.12.30210 Build 3285 is vulnerable to a
remote executable buffer overflow, due to missing length check on the
referer-variable of the HTTP-header.
It is possible to overwrite the stack, and therefore to execute
arbitrary code on the system.
The vuln can be tested with netcat or telnet:
netcat webserver 80
GET /index.htm HTTP/1.0\r\n
Referer: 700 x [A]\r\n\r\n
The Webserver crashes at >= 700 bytes. A buffer of 704 bytes will overwrite
the return address on the stack.
The vendor was informed about the vuln on Mon. 27.10.03, and respondet
on Tue. 28.10.03 with a fixed version!
The new (fixed) version (2.13) is available at:
http://www.yourinfosystem.de/download/TcSimpleWebServer2000Setup.exe
Regards,
Oliver Karow
email: oliver.karow_AT_gmx.de
web: www.oliverkarow.de
--
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService
Jetzt kostenlos anmelden unter http://www.gmx.net
+++ GMX - die erste Adresse für Mail, Message, More! +++
