[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] MiniWeb Content-Length DoS PoC

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] MiniWeb Content-Length DoS PoC
From: bugs@xxxxxxxxxxxxxx
Date: Thu, 31 May 2012 16:59:12 +0100

MiniWeb DoS PoC

Hello everybody!

This vulnerability was apparently originally discovered by Luigi Auriemma
You can find original advisory here:  
http://aluigi.altervista.org/adv/winccflex_1-adv.txt

I accidentally rediscovered it in the latest version of MiniWeb -  
available from code.google.com/p/miniweb recently while fuzzing with  
POST requests.  After a bit of head scratching and asking ohdae from  
http://bindshell.it.cx for help, we isolated the cause of the crash as  
being the "Content-Length: -10" part of the request. Basically, it  
chokes on that and dies.

After much more fuzzing and debugging, I came to the conclusion that I  
was never going to pull remote code execution out of this bug. It was  
around that time that ohdae alerted me to the original advisory, and  
much "aw hell, this aint no 0day" was had. Oh well. Both myself and  
ohdae ended up writing our PoC exploits, and here is mine. Seeing as  
this bug is not worth much, and still not patched, I may as well  
release.

IMPORTANT NOTE: The Miniweb server is used as the default webserver in  
WinCC/SCADA systems. I did not get to test my PoC on one, as I do not  
own one, but I sure as hell hope those versions are patched. I  
jokingly renamed the folder and binary of the fuzzed variant "SCADA"  
as a reminder to me of what the hell it was. It would be most  
unfortunate if they failed to patch, but, this being Siemens... I  
actually reckon this is still unpatched there too.

Screenshots and debugger dumps can be found on my site/blog here:  
http://insecurety.net/?p=65

Here is the proof of concept exploit, which is mirrored on my blog also.
PoC: http://pastebin.com/9EW96xGY

Again, much thanks to ohdae from Bindshell Labs -  
http://bindshell.it.cx - without his help, it would likely have taken  
me weeks to figure out where the bug was. I was convinced it was a  
malicious POST variable for quite some time, ignoring the anomolous  
Content-Length tag as I thought that was "harmless". I was wrong!

Regards,
Darren "infodox" Martyn,
Insecurety Research.

Bootnotes: If a Slow Post attack is launched against MiniWeb, it  
starts using lots of CPU very fast (I got it using 60% of my CPU in no  
time), however, it does not seem to stop responding quickly. Still  
looking into a potential resource exhaustion flaw here.

Contact: This email, sometimes... If I check it... Job offers are  
especially welcome :P
Site: http://insecurety.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] imagine ..
Next by Date: [Full-disclosure] VULNERABILITY LAB and why they suck hard
Previous by thread: [Full-disclosure] ScriptFu Server Buffer Overflow in GIMP <= 2.6
Next by thread: [Full-disclosure] VULNERABILITY LAB and why they suck hard
Index(es):
- Date
- Thread