[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [fuzzing] Vulnerable test application: Simple Web Server (SWS)

To: fuzzing@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] [fuzzing] Vulnerable test application: Simple Web Server (SWS)
From: Ari Takanen <ari.takanen@xxxxxxxxxxxxxxx>
Date: Fri, 14 Sep 2007 22:37:28 +0300

Thanks Gadi,

Good stuff. Only problem we are having with it that it keeps crashing
even with all the vulnerabilities disabled in the GUI. This makes
verifying the findings a bit harder. :)

E.g. disable all vulnerabilities in the GUI and try sending this
through netcat to SWS and voila!

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
Content-Length: -1
Host: www.example.com:80
User-Agent: Mozilla/4.0 (compatible; Codenomicon HTTP Server Test Tool; Windows 
NT 5.1; 11549; http11-content-length-v-int)

Best regards,

Ari Takanen & Jari Tauriainen (who did the dirty testing work)

PS. "This web server MUST NEVER BE USED ON THE INTERNET" - couldn't agree
more, even with all the intended vulnerabilities disabled. ;)

PPS. Seriously, Good Work! We need more neutral non-critical test
targets like this. ;)

On Mon, Sep 10, 2007 at 12:00:02PM -0500, 
fuzzing-request@xxxxxxxxxxxxxxxxxxxxxx wrote:
> Date: Mon, 10 Sep 2007 01:06:29 -0500 (CDT)
> From: Gadi Evron <ge@xxxxxxxxxxxx>
> 
> Every once in a while (last time a few months ago) someone emails one of 
> the mailing lists about searching for an example binary, mostly for:
> 
> - Reverse engineering for vulnerabilities, as a study tool.
> - Testing fuzzers
> 
> Some of these exist, but I asked my employer, Beyond Security, to release 
> our test application, specific for testing fuzzing (built for the beSTORM 
> fuzzer). They agreed to release the HTTP version, following their 
> agreement to release our ANI XML specification.
> 
> The GUI allows you to choose what port your want to run it on, as well as 
> which vulnerabilities should be "active".
> 
> It is called Simple Web Server or SWS, and has the following 
> vulnerabilities:
> 
>     1. Off-By-One in Content-Length (Integer overflow/malloc issue)
>     2. Overflow in User-Agent
>     3. Overflow in Method
>     4. Overflow in URI
>     5. Overflow in Host
>     6. Overflow in Version
>     7. Overflow in complete packet
>     8. Off By One in Receive function (linefeed/carriage return issue)
>     9. Overflow in Authorization Type
>    10. Overflow in Base64 decoded
>    11. Overflow in Username of authorization
>    12. Overflow in Password of authorization
>    13. Overflow in Body
>    14. Cross site scripting
> 
> It can be found on Beyond Security's website, here:
> http://www.beyondsecurity.com/sws_overview.html
> 
> Thanks,
> 
> Gadi Evron.

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen@xxxxxxxxxxxxxxx       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Next by Date: Re: [Full-disclosure] Next generation malware: Windows Vista's gadget API
Previous by thread: [Full-disclosure] rPSA-2007-0187-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs
Next by thread: [Full-disclosure] Axis 207W Wireless Camera Web Interface - Multiple Vulnerabilities
Index(es):
- Date
- Thread