lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20120531165912.kzl46el4chwgggsc@89.234.64.43>
Date: Thu, 31 May 2012 16:59:12 +0100
From: bugs@...ecurety.net
To: full-disclosure@...ts.grok.org.uk
Subject: MiniWeb Content-Length DoS PoC

MiniWeb DoS PoC

Hello everybody!

This vulnerability was apparently originally discovered by Luigi Auriemma
You can find original advisory here:  
http://aluigi.altervista.org/adv/winccflex_1-adv.txt

I accidentally rediscovered it in the latest version of MiniWeb -  
available from code.google.com/p/miniweb recently while fuzzing with  
POST requests.  After a bit of head scratching and asking ohdae from  
http://bindshell.it.cx for help, we isolated the cause of the crash as  
being the "Content-Length: -10" part of the request. Basically, it  
chokes on that and dies.

After much more fuzzing and debugging, I came to the conclusion that I  
was never going to pull remote code execution out of this bug. It was  
around that time that ohdae alerted me to the original advisory, and  
much "aw hell, this aint no 0day" was had. Oh well. Both myself and  
ohdae ended up writing our PoC exploits, and here is mine. Seeing as  
this bug is not worth much, and still not patched, I may as well  
release.

IMPORTANT NOTE: The Miniweb server is used as the default webserver in  
WinCC/SCADA systems. I did not get to test my PoC on one, as I do not  
own one, but I sure as hell hope those versions are patched. I  
jokingly renamed the folder and binary of the fuzzed variant "SCADA"  
as a reminder to me of what the hell it was. It would be most  
unfortunate if they failed to patch, but, this being Siemens... I  
actually reckon this is still unpatched there too.

Screenshots and debugger dumps can be found on my site/blog here:  
http://insecurety.net/?p=65

Here is the proof of concept exploit, which is mirrored on my blog also.
PoC: http://pastebin.com/9EW96xGY

Again, much thanks to ohdae from Bindshell Labs -  
http://bindshell.it.cx - without his help, it would likely have taken  
me weeks to figure out where the bug was. I was convinced it was a  
malicious POST variable for quite some time, ignoring the anomolous  
Content-Length tag as I thought that was "harmless". I was wrong!

Regards,
Darren "infodox" Martyn,
Insecurety Research.

Bootnotes: If a Slow Post attack is launched against MiniWeb, it  
starts using lots of CPU very fast (I got it using 60% of my CPU in no  
time), however, it does not seem to stop responding quickly. Still  
looking into a potential resource exhaustion flaw here.

Contact: This email, sometimes... If I check it... Job offers are  
especially welcome :P
Site: http://insecurety.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists