Web Server Long URL Handling Remote Overflow DoS - Nessus

High   Plugin ID: 10320

This page contains detailed information about the Web Server Long URL Handling Remote Overflow DoS Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 10320
Name: Web Server Long URL Handling Remote Overflow DoS
Filename: www_too_long_url.nasl
Vulnerability Published: N/A
This Plugin Published: 1999-06-22
Last Modification Time: 2018-08-07
Plugin Version: 1.75
Plugin Type: remote
Plugin Family: Web Servers
Dependencies: http_version.nasl, www_multiple_get.nasl
Required KB Items [?]: Settings/ParanoidReport

Vulnerability Information

Severity: High
Vulnerability Published: N/A
Patch Published: N/A
CVE [?]: CVE-2000-0002, CVE-2000-0065, CVE-2000-0571, CVE-2000-0641, CVE-2001-0820, CVE-2001-0836, CVE-2001-1250, CVE-2002-0123, CVE-2002-1003, CVE-2002-1011, CVE-2002-1012, CVE-2002-1120, CVE-2002-1166, CVE-2002-1212, CVE-2002-1905, CVE-2002-2149, CVE-2003-0125, CVE-2003-0833, CVE-2004-2299, CVE-2005-1173, CVE-2006-1652
CPE [?]: N/A

Synopsis

The remote web server may be affected by a buffer overflow vulnerability.

Description

The remote web server crashes when it receives a too long URL. It might be possible to make it execute arbitrary code through this flaw.

Solution

Contact the web server's author / vendor for a patch.

Public Exploits

Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Web Server Long URL Handling Remote Overflow DoS vulnerability:

  1. Metasploit: exploit/windows/vnc/ultravnc_client
    [UltraVNC 1.0.1 Client Buffer Overflow]
  2. Metasploit: exploit/windows/http/savant_31_overflow
    [Savant 3.1 Web Server Overflow]
  3. Exploit-DB: exploits/windows/remote/16490.rb
    [EDB-16490: UltraVNC 1.0.1 - Client Buffer Overflow (Metasploit)]
  4. Exploit-DB: exploits/windows/remote/16770.rb
    [EDB-16770: Savant Web Server 3.1 - Remote Overflow (Metasploit)]
  5. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:9.0 (High)
Impact Subscore:10.0
Exploitability Subscore:8.0
CVSS Temporal Score:7.4 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.4 (High)

Go back to menu.

Plugin Source

This is the www_too_long_url.nasl nessus plugin source code. This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#

# Some vulnerable servers:
# SmallHTTP (All versions vulnerable: 2.x Stables, 3.x Latest beta 8)
# OmniHTTPd v2.09 of Omnicron (www.omnicron.ca)
# MyWebServer 1.02
# atphttpd-0.4b ?
# IBM Tivoli Management Framework < Currently Fixpack 2 or Patches 3.7.1-TMF-0066
#   LCFD process - default port 9495)
# IBM Tivoli Management Framework 3.6.x through 3.7.1 (fixed in 4.1)
#   Spider process - default port 94 redirected to another port.
# Lucent Access Point IP Services Router (Formerly known as Xedia Router)
# Oracle9iAS Web Cache/2.0.0.1.0
# TelCondex SimpleWebServer 2.06.20817 Build 3128
# WebServer 4 Everyone
# WebServer 4 Everyone v1.28 (if Host field is set)
# Savant Web Server 3.1 and previous
# WN Server 1.18.2 through 2.0.0 (upgrade to 2.4.4)
# Multitech RouteFinder 550 VPN  (upgrade to RF550VPN_V463)
# Web Server 4D/eCommerce 3.5.3
# ZBServer Pro 1.50-r13
# BRS WebWeaver 1.03
# U.S. Robotics Broadband-Router 8000A/8000-2 (USR848000A-02) running firmware version 2.5
# Polycomm ViaVideo Web component 2.2 & 3.0
# GazTek HTTP Daemon v1.4-3
# WebFS 1.20
# UltraVNC <= 1.0.1
#
########################
# References:
########################
#
# Date: Sat, 12 Oct 2002 07:49:52 +0200
# From:"Marc Ruef" <[email protected]>
# To:[email protected]
# Subject: Long URL crashes My Web Server 1.0.2
#
# Date: Sun, 13 Oct 2002 15:00:18 +0200
# From:"Marc Ruef" <[email protected]>
# To:[email protected]
# Subject: Long URL causes TelCondex SimpleWebServer to crash
#
# Date: Mon, 14 Oct 2002 08:27:54 +1300 (NZDT)
# From:[email protected]
# To:[email protected]
# Subject: Security vulnerabilities in Polycom ViaVideo Web component
#
# From:"David Endler" <[email protected]>
# To:[email protected]
# Date: Tue, 15 Oct 2002 13:12:35 -0400
# Subject: iDEFENSE Security Advisory 10.15.02: DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone
#
# Delivered-To: mailing list [email protected]
# Date: Tue, 10 Sep 2002 15:39:02 -0700
# Message-ID: <[email protected]>
# From: "Foundstone Labs" <[email protected]>
# To: "announce" <[email protected]>
# Subject: Foundstone Labs Advisory - Buffer Overflow in Savant Web Server
#
# From:"David Endler" <[email protected]>
# To: [email protected]
# Date: Mon, 30 Sep 2002 10:09:59 -0400
# Subject: iDEFENSE Security Advisory 09.30.2002: Buffer Overflow in WN Server
#
# From: "Tamer Sahin" <[email protected]>
# To: [email protected]
# Subject: Web Server 4D/eCommerce 3.5.3 DoS Vulnerability
# Date: Tue, 15 Jan 2002 00:35:59 +0200
# Affiliation: http://www.securityoffice.net
#
# From: "Tamer Sahin" <[email protected]>
# To: [email protected]
# Subject: ZBServer Pro DoS Vulnerability
# Date: Tue, 15 Jan 2002 04:44:37 +0200
# Affiliation: http://www.securityoffice.net
#
# Date:	 Mon, 14 Oct 2002 08:27:54 +1300 (NZDT)
# From:	[email protected]
# To:	[email protected]
# Subject: Security vulnerabilities in Polycom ViaVideo Web component
#
# Date: Sat, 12 Oct 2002 17:02:31 -0700
# To: [email protected]
# Subject: Pyramid Research Project - ghttpd security advisorie
# From: [email protected]
#
# Date: Tue Apr 04 2006 - 14:24:13 CDT
# To: [email protected]
# Subject: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server
# From: Luigi Auriemma (aluigiautistici.org)
#
########################

include("compat.inc");

if (description)
{
 script_id(10320);
 script_version("1.75");
 script_cvs_date("Date: 2018/08/07 16:46:51");

 script_cve_id(
  "CVE-2000-0002",
  "CVE-2000-0065",
  "CVE-2000-0571",
  "CVE-2000-0641",
  "CVE-2001-0820",
  "CVE-2001-0836",
  "CVE-2001-1250",
  "CVE-2002-0123",
  "CVE-2002-1003",
  "CVE-2002-1011",
  "CVE-2002-1012",
  "CVE-2002-1120",
  "CVE-2002-1166",
  "CVE-2002-1212",
  "CVE-2002-1905",
  "CVE-2002-2149",
  "CVE-2003-0125",
  "CVE-2003-0833",
  "CVE-2004-2299",
  "CVE-2005-1173",
  "CVE-2006-1652"
 );
 script_bugtraq_id(
  889,
  1423,
  2979,
  6994,
  7067,
  7280,
  8726,
  17378
 );

 script_name(english:"Web Server Long URL Handling Remote Overflow DoS");
 script_summary(english:"Web server buffer overflow");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server may be affected by a buffer overflow
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote web server crashes when it receives a too long URL. It
might be possible to make it execute arbitrary code through this flaw.");
 script_set_attribute(attribute:"solution", value:"Contact the web server's author / vendor for a patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'UltraVNC 1.0.1 Client Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DENIAL);
# All the www_too_long_*.nasl scripts were first declared as
# ACT_DESTRUCTIVE_ATTACK, but many web servers are vulnerable to them:
# The web server might be killed by those generic tests before Nessus
# has a chance to perform known attacks for which a patch exists
# As ACT_DENIAL are performed one at a time (not in parallel), this reduces
# the risk of false positives.

 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencie('http_version.nasl', 'www_multiple_get.nasl');
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www",80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80, embedded:1);

if (http_is_dead(port:port))exit(1, "The web server on port "+port+" is dead");

# Try to avoid FP on CISCO 7940 phone
max = get_kb_item('www/multiple_get/'+port);
if (max)
{
 imax = max * 2 / 3;
 if (imax < 1)
  imax = 1;
 else if (imax > 5)
  imax = 5;
}
else
 imax = 5;
debug_print('imax=',imax,'\n');

# vWebServer and Small HTTP are vulnerable *if* the URL is requested
# a couple of times. Ref: VULN-DEV & BUGTRAQ (2001-09-29)
for (i = 0; i < imax; i = i + 1)
{
 r = http_send_recv3(port: port, method: 'GET', item: strcat('/', crap(65535)));
}


if(http_is_dead(port: port, retry:3))
{
	security_hole(port);
	set_kb_item(name:"www/too_long_url_crash", value:TRUE);
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/www_too_long_url.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\www_too_long_url.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/www_too_long_url.nasl

Go back to menu.

How to Run

Here is how to run the Web Server Long URL Handling Remote Overflow DoS as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Web Servers plugin family.
  6. On the right side table select Web Server Long URL Handling Remote Overflow DoS plugin ID 10320.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl www_too_long_url.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a www_too_long_url.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - www_too_long_url.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state www_too_long_url.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 22254 - Web Server Expect Header XSS
  • 10498 - Web Server HTTP Dangerous Method Detection
  • 10759 - Web Server HTTP Header Internal IP Disclosure
  • 10297 - Web Server Directory Traversal Arbitrary File Access
  • 10815 - Web Server Generic XSS
  • 72955 - FreeBSD : www/chromium --multiple vulnerabilities (24cefa4b-a940-11e3-91f2-00262d5ed8ee)
  • 121324 - FreeBSD : www/py-requests -- Information disclosure vulnerability (50ad9a9a-1e28-11e9-98d7-0050562a4d7b)
  • 73049 - FreeBSD : www/chromium -- multiple vulnerabilities (a70966a1-ac22-11e3-8d04-00262d5ed8ee)
  • 77885 - FreeBSD : Flash player -- Multiple security vulnerabilities in www/linux-*-flashplugin11 (ca44b64c-4453-11e4-9ea1-c485083ca99c)
  • 84327 - FreeBSD : www/chromium -- multiple vulnerabilities (d46ed7b8-1912-11e5-9fdf-00262d5ed8ee)
  • 156016 - Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP)
  • 76254 - Revive Adserver 'www/delivery/axmlrpc.php' 'what' Parameter SQL Injection

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file www_too_long_url.nasl version 1.75. For more plugins, visit the Nessus Plugin Library.

Go back to menu.