Vulnerabilities > CVE-2001-0029 - Buffer Overflow vulnerability in Igor Khasilev Oops Proxy Server 1.4.22

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
igor-khasilev
critical
nessus
exploit available

Summary

Buffer overflow in oops WWW proxy server 1.4.6 (and possibly other versions) allows remote attackers to execute arbitrary commands via a long host or domain name that is obtained from a reverse DNS lookup.

Vulnerable Configurations

Part Description Count
Application
Igor_Khasilev
1

Exploit-Db

descriptionOops! 1.4.6 (one russi4n proxy-server) Heap Buffer Overflow Exploit. CVE-2001-0029. Remote exploit for bsd platform
idEDB-ID:228
last seen2016-01-31
modified2000-12-15
published2000-12-15
reporterdiman
sourcehttps://www.exploit-db.com/download/228/
titleOops! 1.4.6 one russi4n proxy-server Heap Buffer Overflow Exploit

Nessus

NASL familyWeb Servers
NASL idOOPS_OVERFLOW.NASL
descriptionThe remote server appears to be running ooops WWW proxy server version 1.4.6 or older. Such versions are reportedly affected by a buffer overflow vulnerability. A remote attacker might exploit this vulnerability to crash the server or execute arbitrary commands on the remote system.
last seen2020-06-01
modified2020-06-02
plugin id10578
published2000-12-13
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10578
titleoops WWW Proxy Server Reverse DNS Response Overflow
code
#
# (C) Tenable Network Security, Inc.
#

#
# Should also cover http://seclists.org/vulnwatch/2003/q2/84
#

include("compat.inc");

if (description)
{
 script_id(10578);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_cve_id("CVE-2001-0029");
 script_bugtraq_id(2099);

 script_name(english:"oops WWW Proxy Server Reverse DNS Response Overflow");
 script_summary(english:"Overflows oops");

 script_set_attribute(attribute:"synopsis", value:
"The remote proxy server is affected by a buffer overflow
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote server appears to be running ooops WWW proxy server version
1.4.6 or older. Such versions are reportedly affected by a buffer
overflow vulnerability. A remote attacker might exploit this
vulnerability to crash the server or execute arbitrary commands on the
remote system.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Dec/188");
 script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of this software");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/12/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/12/13");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DESTRUCTIVE_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencie("http_version.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/http_proxy", 3128);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_kb_item("Services/http_proxy");
if(!port) port = 3128;

if (! get_port_state(port)) exit(0, "Port "+port+" is closed.");
if (http_is_dead(port: port)) exit(1, "The web proxy on port "+port+" is dead.");

res = http_send_recv3(method:"GET", item:string("http://", crap(12)), port:port, exit_on_fail: 1);

req = string("http://", crap(1200));
res = http_send_recv3(method:"GET", item:req, port:port, exit_on_fail: 0);

if (! isnull(res))
  exit(0, "The web proxy on port "+port+" is still alive.");

  for(i = 0; i < 3 ; i++)
  {
    sleep(1);
    res = http_send_recv3(method:"GET", item:req, port:port, exit_on_fail: 0);
    if (!isnull(res))
      exit(0, "The web proxy on port "+port+" is still alive.");
  }
  security_hole(port);