zawhttpd Remote HTTP GET Denial Of Service Vulnerability
BID:17814
Info
zawhttpd Remote HTTP GET Denial Of Service Vulnerability
| Bugtraq ID: | 17814 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 03 2006 12:00AM |
| Updated: | May 03 2006 11:00PM |
| Credit: | Kamil Sienicki <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
Norz zawhttpd 0.8.23 |
| Not Vulnerable: | |
Discussion
zawhttpd Remote HTTP GET Denial Of Service Vulnerability
The zawhttpd server is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle unexpected data.
An attacker can exploit this issue to crash the affected webserver, effectively denying service to legitimate users. The underlying issue may be buffer-overflow-related, so remote code execution may be possible, but this has not been confirmed.
Version 0.8.23 of zawhttpd is vulnerable to this issue; other firmware versions may also be affected.
The zawhttpd server is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the application to properly handle unexpected data.
An attacker can exploit this issue to crash the affected webserver, effectively denying service to legitimate users. The underlying issue may be buffer-overflow-related, so remote code execution may be possible, but this has not been confirmed.
Version 0.8.23 of zawhttpd is vulnerable to this issue; other firmware versions may also be affected.
Exploit / POC
zawhttpd Remote HTTP GET Denial Of Service Vulnerability
Attackers may use standard network utilities to exploit this issue.
The following GET request is sufficient to trigger this issue:
GET \\\\\\\\\\\\\\\\\\\\ HTTP/1.0
The following proof-of-concept exploit is available:
Attackers may use standard network utilities to exploit this issue.
The following GET request is sufficient to trigger this issue:
GET \\\\\\\\\\\\\\\\\\\\ HTTP/1.0
The following proof-of-concept exploit is available:
Solution / Fix
zawhttpd Remote HTTP GET Denial Of Service Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]
References
zawhttpd Remote HTTP GET Denial Of Service Vulnerability
References:
References:
- zawhttpd Home Page (Norz)
- zawhttpd - Buffer Overflow (Kamil Sienicki