lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <021501c23a73$cc463b40$e62d1c41@kc.rr.com> From: mattmurphy at kc.rr.com (Matthew Murphy) Subject: Xitami Connection Flood Server Termination Vulnerability Affected Systems ------------------ The vulnerability was discovered on Xitami 2.5b5 for Win32, so this may (not) be a Win32-specific issue. No data has been collected on other versions, so such a determination would be purely speculation and therefore not helpful to those running potentially vulnerable systems. The Problem ------------- Xitami 2.5b5 is the latest (Beta) version of iMatix' flagship web server. It appears to be handling large numbers of connections in an erratic manner. The end result of this problem is a denial of service issue resulting from a runtime error in the server process. The vulnerability appears to occur after the server exceeds its maximum number of concurrent sessions: 1) Service Unavailable error 2) 500 Internal error response 3) Blank document is returned 4) Ignores session request 5) Server crashes (DOH!) When the fifth stage of service issues is reached Xitami dies due to a Microsoft Visual C++ Runtime Error, an abnormal program termination inside XIWIN32.EXE has occurred. The message is *not* followed by any Win32 exception dialog. The Workaround ------------------ The solution for Beta users is to simply stop limiting the maximum number of HTTP sessions at once, although this may cause performance issues. Exploitation ------------ Simply making quick moves around the vulnerable site can result in successful exploitation of the vulnerability. It should be noted that browser-based exploitation will require extensive use of the back button when reaching the more extensive stages of service failure. Other Notes ------------- Unlike some server crashes, the service process will *not* recover from the crash caused by the attack. Successful exploitation of this vulnerability will be extensively logged, as it would require multiple sessions, and in the event of a browser-based attack, would require multiple requests per session on a Keep-Alive connection. The term "attack" is used rather loosely, as a quick series of jumps, especially by a large number of users, could bring the system down without malicious intent, although the very high level of speed necessary for this attack is not likely to occur unless widely-spread between several users. "The reason the mainstream is thought of as a stream is because it is so shallow." - Author Unknown
Powered by blists - more mailing lists