Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01
While developing one of our advanced security training modules,
we
identified a remotely exploitable buffer overflow vulnerability
in the
latest release of InterVetions' HTTP server NaviCopa 2.01.
Successful
exploitation of this vulnerability allows an attacker to execute
arbitrary code in the context of the NaviCopa HTTP server. ....
The overflow can be triggered by sending a GET request in the
following ways:
GET /cgi-bin/AAAAAAAAAAAAA....
or
GET /cgi/AAAAAAAAAAAAAAAAAA...
The amount of submitted characters depends on the location of
the
NaviCopa installation folder. By default (Windows English
version), it
resides in the Program Files/NaviCOPA directory. In that case,
eip is
overwritten with characters 271 to 274. An exploit for this
vulnerability has been developed and successfully tested against
Windows 2000 Advanced Server, Windows XP SP2 and Windows Vista.
Not
surprisingly, ASLR (Address Space Layout Randomization) does not
prevent reliable code execution due to its obvious limitations.