mailing list archives
From: "elaborate ruse" <elaborateruse () trust-me com>
Date: Fri, 21 Jun 2002 14:22:53 -0500
Title: AdvServer DoS
Author: elab (http://elaboration.8bit.co.uk)
Tested: Version 1.030000
Vendor: WWW: http://gamecheats.ws
Contacted on: 30 May 02
Via: tassadar () mail com && website
Response: Within 2 days
WARNING: This advisory has NOTHING to do with the Microsoft webserver of
a similar name.
From vendor's website (http://gamecheats.ws):
"AdvServer is all you need for your web hosting
needs, if you want a fast ,reliable ,and robust
http web server then AdvServer is perfect for
you. AdvServer Multithreading system allows
you to handle insane amounts of web traffic.
Smart PreCache system that loads frequently
used files in to memory ,allowing for lightning fast
server responces. Custom Api system so you
are able to create library modules that increase
the functionality of your website. AdvServer fully
supports CGI applications such as Perl or PHP.
Best of all AdvServer setup screen makes
customization a breeze. Download AdvServer
Today its free!"
A DoS condition exists in AdvServer which can render the server
unresponsive to further connections.
Connecting to AdvServer and sending a single CRLF sequence
causes a page fault in advserver.exe. At this point the
server still accepts new connections. If this action is
repeated around another 100 times the server stops accepting new
The version tested and found to be vulnerable was 1.030000.
The platform tested on was Microsoft Windows 98SE.
Searches at securityfocus archives revealed no previous postings
about this product yet a google search shows multiple download
Vendor was contacted on 30 May 02 via email and website.
Initial response was:
"your the first person with this problem that has contacted
me, but im currently working on another project sorry".
On 08.06.02 vendor was sent a copy of this advisory, packet
dumps of the DoS as well as PoC code and two weeks to respond
with a reasonable schedule for a fix before this information
would be made public.
After further emails vendor stated:
"the parsing module is being rebuilt, by june 17, 2002 version
1.04 will have the new module fix"
As of release date no fixed version is available from vendor's
website and vendor has become unresponsive to further attempts
Also CC'ed a copy of this advisory.
Use a non-development stage web server for your hosting.
In tests it took exactly 96 sockets and CRLF writes to crash
the server (46 if you do it through localhost). The sockets
did not need to be kept open and were sequential as opposed to
It seems that various non HTTP conformant data can crash the
server - a single CRLF per connection just seemed easiest.
This advisory is also available from:
Free email with personality! Over 200 domains!
- AdvServer DoS elaborate ruse (Jun 21)