Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: WebObjects DoS
From: Bruce Potter (gdeadFORTNOCS.COM)
Date: Tue Apr 04 2000 - 13:17:24 CDT
- Next message: patrickPINE.NL: "Security Bulletins Digest"
- Previous message: Crispin Cowan: "Re: Fwd: ircii-4.4 buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We've found a DoS in WebObjects apps (with a possible remote
exploit). So far we've found this problem in
WebObjects 4.5 Developer running with the CGI-adapter
and IIS 4.0 on NT 4.0 SP5. WO 4.5 Beta on Solaris 2.6 with
Netscape Enterprise isn't vulnerable.
Overview: If you send a large (4.1K) header variable to the
webobjects app it will core (fires up doctor watson). This
may result in a remotely executable exploit as the user
running IIS, but I haven't taken the time to check
Implementation: This worked on any app we tested it on,
including "empty" projects that did _nothing_. Construct
a message as follows
POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0
Accept: AAAAAAAAA.... (about 4.1K worth of A's)
That's it. The app will die and fire up a doctor watson window.
From our testing, it appears that as long as you have > 4.1K worth
of headers, the app will die (ie: you don't need to have all the
data in one variable).
We submitted this vulnerablity to Apple last week. To their
credit they responded in a resonable timeframe. According to the
testing done on their end, this DoS is only present when you use
a development license. WO with deployment licenses are not
vulnerable. Our deployment license is "in the mail" so we haven't
been able to test this. Seems a bit odd to me being that you keep
the same software and just change the license key to "upgrade"
from devel to deploy... there's no new software installed. We'll