Small HTTP Server Buffer Overflow Vulnerability
BID:1355
Info
Small HTTP Server Buffer Overflow Vulnerability
| Bugtraq ID: | 1355 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | Unknown |
| Published: | Jun 16 2000 12:00AM |
| Updated: | Jun 16 2000 12:00AM |
| Credit: | This vulnerability was released in an advisory by USSR Labs and posted the Bugtraq mailing list on June 16, 2000. |
| Vulnerable: |
Max Feoktistov Small HTTP server 1.212 |
| Not Vulnerable: | |
Discussion
Small HTTP Server Buffer Overflow Vulnerability
A buffer overflow is present in certain versions of the Small HTTP Server . The overflow in question is triggered by an overlong (65000 or more characters) malformed HTTP GET request to the webserver.
A buffer overflow is present in certain versions of the Small HTTP Server . The overflow in question is triggered by an overlong (65000 or more characters) malformed HTTP GET request to the webserver.
Exploit / POC
Small HTTP Server Buffer Overflow Vulnerability
As taken from the USSR advisory on this vulnerability:
[[email protected]$ telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is '^]'.
GET /[buffer]
Where [buffer] is aprox. 65000 characters.
Prizm <[email protected]> has also provided the following exploit:
As taken from the USSR advisory on this vulnerability:
[[email protected]$ telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is '^]'.
GET /[buffer]
Where [buffer] is aprox. 65000 characters.
Prizm <[email protected]> has also provided the following exploit:
Solution / Fix
Small HTTP Server Buffer Overflow Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Small HTTP Server Buffer Overflow Vulnerability
References:
References:
- Small HTTP server (Max Feoktistov [email protected])