[Full-disclosure] MiniWeb Content-Length DoS PoC



MiniWeb DoS PoC

Hello everybody!

This vulnerability was apparently originally discovered by Luigi Auriemma
You can find original advisory here:
http://aluigi.altervista.org/adv/winccflex_1-adv.txt

I accidentally rediscovered it in the latest version of MiniWeb -
available from code.google.com/p/miniweb recently while fuzzing with
POST requests. After a bit of head scratching and asking ohdae from
http://bindshell.it.cx for help, we isolated the cause of the crash as
being the "Content-Length: -10" part of the request. Basically, it
chokes on that and dies.

After much more fuzzing and debugging, I came to the conclusion that I
was never going to pull remote code execution out of this bug. It was
around that time that ohdae alerted me to the original advisory, and
much "aw hell, this aint no 0day" was had. Oh well. Both myself and
ohdae ended up writing our PoC exploits, and here is mine. Seeing as
this bug is not worth much, and still not patched, I may as well
release.

IMPORTANT NOTE: The Miniweb server is used as the default webserver in
WinCC/SCADA systems. I did not get to test my PoC on one, as I do not
own one, but I sure as hell hope those versions are patched. I
jokingly renamed the folder and binary of the fuzzed variant "SCADA"
as a reminder to me of what the hell it was. It would be most
unfortunate if they failed to patch, but, this being Siemens... I
actually reckon this is still unpatched there too.

Screenshots and debugger dumps can be found on my site/blog here:
http://insecurety.net/?p=65

Here is the proof of concept exploit, which is mirrored on my blog also.
PoC: http://pastebin.com/9EW96xGY

Again, much thanks to ohdae from Bindshell Labs -
http://bindshell.it.cx - without his help, it would likely have taken
me weeks to figure out where the bug was. I was convinced it was a
malicious POST variable for quite some time, ignoring the anomolous
Content-Length tag as I thought that was "harmless". I was wrong!

Regards,
Darren "infodox" Martyn,
Insecurety Research.

Bootnotes: If a Slow Post attack is launched against MiniWeb, it
starts using lots of CPU very fast (I got it using 60% of my CPU in no
time), however, it does not seem to stop responding quickly. Still
looking into a potential resource exhaustion flaw here.

Contact: This email, sometimes... If I check it... Job offers are
especially welcome :P
Site: http://insecurety.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/