Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01

Buffer Overflow in InterVetions' NaviCopa HTTP server 2.01

While developing one of our advanced security training modules, we
identified a remotely exploitable buffer overflow vulnerability in the
latest release of InterVetions' HTTP server NaviCopa 2.01. Successful
exploitation of this vulnerability allows an attacker to execute
arbitrary code in the context of the NaviCopa HTTP server. …

The overflow can be triggered by sending a GET request in the following ways:

GET /cgi-bin/AAAAAAAAAAAAA…
or
GET /cgi/AAAAAAAAAAAAAAAAAA…

The amount of submitted characters depends on the location of the
NaviCopa installation folder. By default (Windows English version), it
resides in the Program Files/NaviCOPA directory. In that case, eip is
overwritten with characters 271 to 274. An exploit for this
vulnerability has been developed and successfully tested against
Windows 2000 Advanced Server, Windows XP SP2 and Windows Vista. Not
surprisingly, ASLR (Address Space Layout Randomization) does not
prevent reliable code execution due to its obvious limitations.

An exploit for the Meatsploit Framework is available on our web site:

http://www.skilltube.com/index.php?option=com_content&task=blogsection&id=3&Itemid=37

Countermeasures:
The vendor was informed on March 23, 2007 and published a patched
version 2 hours later. Great response time!

Partner program:
If you are interested in learning more about vulnerability research
and exploitation techniques, check out our advanced security training
modules on www.skillTube.com. Are you interested in becoming an author
for skillTube.com? Just get in contact with us.