[<prev] [next>] [day] [month] [year] [list]
Message-ID: <021501c23a73$cc463b40$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Xitami Connection Flood Server Termination Vulnerability
Affected Systems
------------------
The vulnerability was discovered on Xitami 2.5b5 for Win32,
so this may (not) be a Win32-specific issue. No data has been
collected on other versions, so such a determination would be
purely speculation and therefore not helpful to those running
potentially vulnerable systems.
The Problem
-------------
Xitami 2.5b5 is the latest (Beta) version of iMatix' flagship
web server. It appears to be handling large numbers of
connections in an erratic manner.
The end result of this problem is a denial of service issue
resulting from a runtime error in the server process. The
vulnerability appears to occur after the server exceeds
its maximum number of concurrent sessions:
1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes (DOH!)
When the fifth stage of service issues is reached Xitami
dies due to a Microsoft Visual C++ Runtime Error, an
abnormal program termination inside XIWIN32.EXE
has occurred. The message is *not* followed by any
Win32 exception dialog.
The Workaround
------------------
The solution for Beta users is to simply stop limiting the
maximum number of HTTP sessions at once, although
this may cause performance issues.
Exploitation
------------
Simply making quick moves around the vulnerable site
can result in successful exploitation of the vulnerability.
It should be noted that browser-based exploitation will
require extensive use of the back button when reaching
the more extensive stages of service failure.
Other Notes
-------------
Unlike some server crashes, the service process will
*not* recover from the crash caused by the attack.
Successful exploitation of this vulnerability will be
extensively logged, as it would require multiple sessions,
and in the event of a browser-based attack, would
require multiple requests per session on a Keep-Alive
connection.
The term "attack" is used rather loosely, as a quick
series of jumps, especially by a large number of users,
could bring the system down without malicious intent,
although the very high level of speed necessary for
this attack is not likely to occur unless widely-spread
between several users.
"The reason the mainstream is thought
of as a stream is because it is
so shallow."
- Author Unknown
Powered by blists - more mailing lists