lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009801c2975c$1970bf40$e62d1c41@kc.rr.com>
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Moby NetSuite POST Denial of Service Vulnerability

Advisory: Moby NetSuite POST Denial of Service Vulnerability

Moby NetSuite is an HTTP/SMTP package designed for simplicity. It supports
CGI, including POST form submissions. A vulnerability in the POST handler
could lead to denial of service against the server.

When faced with a POST request, NetSuite allocates a buffer according to the
incoming Content-Length header, reads in that number of bytes, and passes
them on as the CGI process' STDIN stream. The value for the number of bytes
read is returned from an atoi() call.

When the header's value is too large to fit in an integer value, or is not
numeric, the atoi() library call leaves the variable in its previous state.
In this case, the variable is undefined, as it has no data before the length
is determined. An sprintf() call that occurs while creating the CGI
environment for the child then attempts to read the undefined data,
resulting in an access violation. Restart of services is required to regain
normal functionality.

Example:

[Begin Session]
POST /cgi-bin/test.cgi HTTP/1.0
Content-Length: 111111111111111111111111111

A

[End Session]

NetSuite crashes within seconds with an access violation: illegal use of
un-initialized data variable.

http://www.techie.hopto.org/bug.php?2002-48 (Write-Up)
http://www.techie.hopto.org/exploits.php?moby (Exploit code in HTML form)
http://www.techie.hopto.org/getexpl.php?moby (Exploit code in downloadable
form)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ