Bugtraq mailing list archives

Lame DoS in WEBactive win65/NT server

From: prizm () RESENTMENT ORG (Prizm)
Date: Thu, 13 Jul 2000 01:27:38 -800

I was looking for a small server to download recently to show one of
my friends something I had made and later I messed about with this
little program a bit and noticed some DoS bug. I have enclodes a .txt
file on the problem in it. Not a big deal, very un-used product.

-Prizm

Application: ITAfrica's WebACTIVE version 1.00
Problem Type: Denial of Service
Author: Prizm<Prizm () RESENTMENT org>
Platform(s): Windows 95/98/NT
Vendor Status: Not Informed, Project discontinued(I think)
Download URL: ftp://ftp.mira.net/mirrors/winsock-l/Windows95/Daemons/HTTPD/activ100.zip

Product Description
-------------------
WEBactive HTTP Server 1.00 is an HTTP/1.00-compliant World Wide Web server daemon for
Windows 95 or Windows NT, specifically designed for the SOHO (Small Office/Home)
environment. It will operate on any TCP/IP connection to the Internet, whether via temporary
dial-up or permanent leased-line connectivity.

Problem
-------

The problem is with bounds checking, when you request 280 characters Webactiv.exe just shuts down.

Quick Example:

http://somedomain/0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000

*Also* by simply requesting /active.log, you can view the webserver log, because active.log is
the default logfile name and the default directory is where that file is stored.

Vendor Status
-------------

Heh, this server was discontinued as far as I see... it is rather dated and doesn't support much.
Seeing as it was last revised in 1996, i think contacting the vendor would be rather meaningless... Also the fact that
it is HTTP/1.00-compliant kind of hints it is no longer being updated.

Greetings
---------

Lamagra, Scrippie, eth0, Cruciphux/HWA and many others...

Current thread:

REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER, (continued)
- REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER Eric Hines (Jul 11)
  - Re: REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER Andrew L . Davis (Jul 11)
  - Updated - Microsoft Security Bulletin (MS00-041) Microsoft Product Security (Jul 12)
  - Netscape SmartDownload reports file information to AOL John L. Morello (Jul 12)
  - RSA Aceserver UDP Flood Vulnerability Gwendolynn ferch Elydyr (Jul 12)
  - ftp.pl vulnerability zillion @ safemode (Jul 12)
  - ISC DHCP client v2 hole fixed...or not? Pavel Kankovsky (Jul 12)
  - cvsweb: remote shell for cvs committers Joey Hess (Jul 12)
  - FreeBSD Security Advisory: FreeBSD-SA-00:33.kerberosIV FreeBSD Security Advisories (Jul 12)
  - eEye Digital Security ports nmap to Windows NT Marc (Jul 13)
  - Lame DoS in WEBactive win65/NT server Prizm (Jul 13)
  - Security Bulletins Digest patrick () PINE NL (Jul 13)
  - More wIRCSrv stupidity Drew (Jul 13)
    - Re: More wIRCSrv stupidity Alex Charalabidis (Jul 13)
    - MDKSA-2000:019 cvsweb update Linux Mandrake Security Team (Jul 14)
- BIG BROTHER EXPLOIT Eric Hines (Jul 11)
- Re: Pollit CGI-script opens doors! Max Vision (Jul 11)
  - Re: Pollit CGI-script opens doors! Simple Nomad (Jul 11)
  - FreeBSD Ports Security Advisory: FreeBSD-SA-00:31.canna [REVISED] FreeBSD Security Advisories (Jul 11)