#47 Pointer Dereference Vulnerability

[Matthew Murphy]

Pointer Dereference Vulnerability in Savant Web Server

Savant Web Server offers support for HTTP/1.0 POST
requests for dynamic content. A vulnerability has been
discovered in the server that may cause it to crash
when handling POST requests.

Savant dynamically allocates POST buffers based on
the "Content-Length" header. Savant fails to check the
validity of the returned memory pointer after allocation.
If an attacker sends a POST request with a Content-
Length header indicating a very long POST entity, the
memory allocation will fail.

Savant then attempts to write to a NULL memory region
while storing the POST body. This results in an access
violation, crashing the web server process:

POST / HTTP/1.0
Content-Length: -1

AAAAAAAA

Savant parses the -1 into an integer value.
0xFFFFFFFF=-1. The memory allocation routines
invoked by Savant treat this as an unsigned integer, and
this is converted to a memory request 4,294,967,295
bytes (4 GB). As this is the entire address space of a
Win32 process, this allocation always fails, resulting in
the crash of the server.