[Full-Disclosure] Moby NetSuite POST Denial of Service Vulnerability

From: Matthew Murphy (mattmurphy@kc.rr.com)
Date: 11/29/02


From: mattmurphy@kc.rr.com (Matthew Murphy)
Date: Thu, 28 Nov 2002 22:02:13 -0600

Advisory: Moby NetSuite POST Denial of Service Vulnerability

Moby NetSuite is an HTTP/SMTP package designed for simplicity. It supports
CGI, including POST form submissions. A vulnerability in the POST handler
could lead to denial of service against the server.

When faced with a POST request, NetSuite allocates a buffer according to the
incoming Content-Length header, reads in that number of bytes, and passes
them on as the CGI process' STDIN stream. The value for the number of bytes
read is returned from an atoi() call.

When the header's value is too large to fit in an integer value, or is not
numeric, the atoi() library call leaves the variable in its previous state.
In this case, the variable is undefined, as it has no data before the length
is determined. An sprintf() call that occurs while creating the CGI
environment for the child then attempts to read the undefined data,
resulting in an access violation. Restart of services is required to regain
normal functionality.

Example:

[Begin Session]
POST /cgi-bin/test.cgi HTTP/1.0
Content-Length: 111111111111111111111111111

A

[End Session]

NetSuite crashes within seconds with an access violation: illegal use of
un-initialized data variable.

http://www.techie.hopto.org/bug.php?2002-48 (Write-Up)
http://www.techie.hopto.org/exploits.php?moby (Exploit code in HTML form)
http://www.techie.hopto.org/getexpl.php?moby (Exploit code in downloadable
form)