lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120531165912.kzl46el4chwgggsc@89.234.64.43> Date: Thu, 31 May 2012 16:59:12 +0100 From: bugs@...ecurety.net To: full-disclosure@...ts.grok.org.uk Subject: MiniWeb Content-Length DoS PoC MiniWeb DoS PoC Hello everybody! This vulnerability was apparently originally discovered by Luigi Auriemma You can find original advisory here: http://aluigi.altervista.org/adv/winccflex_1-adv.txt I accidentally rediscovered it in the latest version of MiniWeb - available from code.google.com/p/miniweb recently while fuzzing with POST requests. After a bit of head scratching and asking ohdae from http://bindshell.it.cx for help, we isolated the cause of the crash as being the "Content-Length: -10" part of the request. Basically, it chokes on that and dies. After much more fuzzing and debugging, I came to the conclusion that I was never going to pull remote code execution out of this bug. It was around that time that ohdae alerted me to the original advisory, and much "aw hell, this aint no 0day" was had. Oh well. Both myself and ohdae ended up writing our PoC exploits, and here is mine. Seeing as this bug is not worth much, and still not patched, I may as well release. IMPORTANT NOTE: The Miniweb server is used as the default webserver in WinCC/SCADA systems. I did not get to test my PoC on one, as I do not own one, but I sure as hell hope those versions are patched. I jokingly renamed the folder and binary of the fuzzed variant "SCADA" as a reminder to me of what the hell it was. It would be most unfortunate if they failed to patch, but, this being Siemens... I actually reckon this is still unpatched there too. Screenshots and debugger dumps can be found on my site/blog here: http://insecurety.net/?p=65 Here is the proof of concept exploit, which is mirrored on my blog also. PoC: http://pastebin.com/9EW96xGY Again, much thanks to ohdae from Bindshell Labs - http://bindshell.it.cx - without his help, it would likely have taken me weeks to figure out where the bug was. I was convinced it was a malicious POST variable for quite some time, ignoring the anomolous Content-Length tag as I thought that was "harmless". I was wrong! Regards, Darren "infodox" Martyn, Insecurety Research. Bootnotes: If a Slow Post attack is launched against MiniWeb, it starts using lots of CPU very fast (I got it using 60% of my CPU in no time), however, it does not seem to stop responding quickly. Still looking into a potential resource exhaustion flaw here. Contact: This email, sometimes... If I check it... Job offers are especially welcome :P Site: http://insecurety.net/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists