Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Light HTTPd 0.1 (Windows) - Remote Buffer Overflow

Disclosure Date: March 31, 2003
CVE-2002-1549
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Buffer overflow in Light HTTPd (lhttpd) 0.1 allows remote attackers to execute arbitrary code via a long HTTP GET request.

Add Assessment

1
Technical Analysis
start    end        module name
00400000 0041a000   lhttpd   C:\Documents and Settings\Administrator\My Documents\Downloads\ad9f3af85dc51499f7d252eb11bac5a2-lhttpd0.1-win\lhttpd\lhttpd.exe
662b0000 66308000   hnetcfg  C:\WINDOWS\system32\hnetcfg.dll
71a50000 71a8f000   mswsock  C:\WINDOWS\system32\mswsock.dll
71a90000 71a98000   wshtcpip C:\WINDOWS\System32\wshtcpip.dll
71aa0000 71aa8000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
71ad0000 71ad9000   WSOCK32  C:\WINDOWS\system32\WSOCK32.DLL
76390000 763ad000   IMM32    C:\WINDOWS\system32\IMM32.DLL
77c10000 77c68000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
77dd0000 77e6b000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000   GDI32    C:\WINDOWS\system32\GDI32.dll
77fe0000 77ff1000   Secur32  C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000   kernel32 C:\WINDOWS\system32\kernel32.dll
7c900000 7c9af000   ntdll    C:\WINDOWS\system32\ntdll.dll
7e410000 7e4a1000   USER32   C:\WINDOWS\system32\USER32.DLL

Found sequences (All Modules)

Address    Disassembly                               Comment                                   Module Name
00401000   JMP SHORT lhttpd.00401012                 (Initial CPU selection)                   C:\Documents and Settings\Administrator\My Documents\Downloads\ad9f3af85dc51499f7d252eb11bac5a2-lhttpd0.1-win\lhttpd\lhttpd.exe
662B1000   TEST AL,7C                                (Initial CPU selection)                   C:\WINDOWS\system32\hnetcfg.dll
662EB24F   JMP ESP                                                                             C:\WINDOWS\system32\hnetcfg.dll
71A51000   MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]  (Initial CPU selection)                   C:\WINDOWS\system32\mswsock.dll
71A91000   SBB BL,BYTE PTR DS:[ESI]                  (Initial CPU selection)                   C:\WINDOWS\System32\wshtcpip.dll
71A91C8B   JMP ESP                                                                             C:\WINDOWS\System32\wshtcpip.dll
71AA1000   MOV ECX,A877DD7C                          (Initial CPU selection)                   C:\WINDOWS\system32\WS2HELP.dll
71AB1000   OUT DX,AL                                 (Initial CPU selection)                   C:\WINDOWS\system32\WS2_32.dll
71AD1000   ADC EAX,DWORD PTR ES:[ECX+8017E97C]       (Initial CPU selection)                   C:\WINDOWS\system32\WSOCK32.DLL
76391000   MOV EDX,A877DD7F                          (Initial CPU selection)                   C:\WINDOWS\system32\IMM32.DLL
77C11000   MOV BYTE PTR DS:[EAX+EAX*4+90FE017C],BL   (Initial CPU selection)                   C:\WINDOWS\system32\msvcrt.dll
77DD1000   SUB DWORD PTR DS:[ESI],EDX                (Initial CPU selection)                   C:\WINDOWS\system32\ADVAPI32.dll
77DEF049   JMP ESP                                                                             C:\WINDOWS\system32\ADVAPI32.dll
77DF965B   JMP ESP                                                                             C:\WINDOWS\system32\ADVAPI32.dll
77E18063   JMP ESP                                                                             C:\WINDOWS\system32\ADVAPI32.dll
77E23B63   JMP ESP                                                                             C:\WINDOWS\system32\ADVAPI32.dll
77E42A9F   JMP ESP                                                                             C:\WINDOWS\system32\ADVAPI32.dll
77E71000   MOV DH,79                                 (Initial CPU selection)                   C:\WINDOWS\system32\RPCRT4.dll
77E8560A   JMP ESP                                                                             C:\WINDOWS\system32\RPCRT4.dll
77E9025B   JMP ESP                                                                             C:\WINDOWS\system32\RPCRT4.dll
77F11000   INC ESI                                   (Initial CPU selection)                   C:\WINDOWS\system32\GDI32.dll
77F31D2F   JMP ESP                                                                             C:\WINDOWS\system32\GDI32.dll
77FE1000   PUSH EDI                                  (Initial CPU selection)                   C:\WINDOWS\system32\Secur32.dll
7C801000   INT 81                                    (Initial CPU selection)                   C:\WINDOWS\system32\kernel32.dll
7C86467B   JMP ESP                                                                             C:\WINDOWS\system32\kernel32.dll
7C901000   MOV ECX,DWORD PTR FS:[18]                 (Initial CPU selection)                   C:\WINDOWS\system32\ntdll.dll
7E411000   SALC                                      (Initial CPU selection)                   C:\WINDOWS\system32\USER32.DLL
7E429353   JMP ESP                                                                             C:\WINDOWS\system32\USER32.DLL
7E4456F7   JMP ESP                                                                             C:\WINDOWS\system32\USER32.DLL
7E455AF7   JMP ESP                                                                             C:\WINDOWS\system32\USER32.DLL
7E45B310   JMP ESP                                                                             C:\WINDOWS\system32\USER32.DLL

Dump:

00dfbceb 90 90 90 90 90 90 90  .......
00dfbcf2 90 90 90 90 90 90 90  .......
00dfbcf9 90 90 90 90 90 20 2d  ..... -
00dfbd00 20 43 6f 6e 6e 65 63   Connec
00dfbd07 74 69 6f 6e 20 66 72  tion fr
00dfbd0e 6f 6d 20 31 30 2e 30  om 10.0
00dfbd15 2e 31 2e 37 36 2c 20  .1.76,
00dfbd1c 72 65 71 75 65 73 74  request
00dfbd23 20 3d 20 22 47 45 54   = "GET
00dfbd2a 20 2f 90 90 90 90 90   /.....
00dfbd31 90 90 90 90 90 90 90  .......
00dfbd38 90 90 90 90 90 90 90  .......
00dfbd3f 90 90 90 90 90 90 90  .......
00dfbd46 90 90 90 90 90 90 90  .......

In function serveconnection(), protocol.c:

  Log("Connection from %s, request = \"GET %s\"", inet_ntoa(sa.sin_addr), ptr);

The Log() function comes from util.c:

	void Log(char *format, ...)
	{
		FILE *logfile;
		time_t t;
		struct tm *tm;
		char temp[200], temp2[200], logfilename[255];
		char datetime[] = "[%d.%m.%Y] [%H:%M.%S]";
		char datetime_final[128];
		va_list ap;

		va_start(ap, format);		// format it all into temp
		vsprintf(temp, format, ap);
Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • light httpd

Products

  • light httpd 0.1

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis