[Full-Disclosure] Xitami Connection Flood Server Termination Vulnerability

From: Matthew Murphy (full-disclosure@lists.netsys.com)
Date: 08/03/02


From: full-disclosure@lists.netsys.com (Matthew Murphy)
Date: Fri, 2 Aug 2002 17:27:33 -0500

Affected Systems
------------------
The vulnerability was discovered on Xitami 2.5b5 for Win32,
so this may (not) be a Win32-specific issue. No data has been
collected on other versions, so such a determination would be
purely speculation and therefore not helpful to those running
potentially vulnerable systems.

The Problem
-------------
Xitami 2.5b5 is the latest (Beta) version of iMatix' flagship
web server. It appears to be handling large numbers of
connections in an erratic manner.

The end result of this problem is a denial of service issue
resulting from a runtime error in the server process. The
vulnerability appears to occur after the server exceeds
its maximum number of concurrent sessions:

1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes (DOH!)

When the fifth stage of service issues is reached Xitami
dies due to a Microsoft Visual C++ Runtime Error, an
abnormal program termination inside XIWIN32.EXE
has occurred. The message is *not* followed by any
Win32 exception dialog.

The Workaround
------------------
The solution for Beta users is to simply stop limiting the
maximum number of HTTP sessions at once, although
this may cause performance issues.

Exploitation
------------
Simply making quick moves around the vulnerable site
can result in successful exploitation of the vulnerability.
It should be noted that browser-based exploitation will
require extensive use of the back button when reaching
the more extensive stages of service failure.

Other Notes
-------------
Unlike some server crashes, the service process will
*not* recover from the crash caused by the attack.

Successful exploitation of this vulnerability will be
extensively logged, as it would require multiple sessions,
and in the event of a browser-based attack, would
require multiple requests per session on a Keep-Alive
connection.

The term "attack" is used rather loosely, as a quick
series of jumps, especially by a large number of users,
could bring the system down without malicious intent,
although the very high level of speed necessary for
this attack is not likely to occur unless widely-spread
between several users.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown



Relevant Pages

  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #152
    ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...
    (Focus-Microsoft)