Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01

2007.03.30
Credit: skillTube.com
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01 While developing one of our advanced security training modules, we identified a remotely exploitable buffer overflow vulnerability in the latest release of InterVetions' HTTP server NaviCopa 2.01. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code in the context of the NaviCopa HTTP server. .... The overflow can be triggered by sending a GET request in the following ways: GET /cgi-bin/AAAAAAAAAAAAA.... or GET /cgi/AAAAAAAAAAAAAAAAAA... The amount of submitted characters depends on the location of the NaviCopa installation folder. By default (Windows English version), it resides in the Program Files/NaviCOPA directory. In that case, eip is overwritten with characters 271 to 274. An exploit for this vulnerability has been developed and successfully tested against Windows 2000 Advanced Server, Windows XP SP2 and Windows Vista. Not surprisingly, ASLR (Address Space Layout Randomization) does not prevent reliable code execution due to its obvious limitations. An exploit for the Meatsploit Framework is available on our web site: http://www.skilltube.com/index.php?option=com_content&task=blogsection&i d=3&Itemid=37 Countermeasures: The vendor was informed on March 23, 2007 and published a patched version 2 hours later. Great response time! ******************************************************* Partner program: If you are interested in learning more about vulnerability research and exploitation techniques, check out our advanced security training modules on www.skillTube.com. Are you interested in becoming an author for skillTube.com? Just get in contact with us.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top