[UNIX] Dreambox DM500 Webserver Long URL Request Denial of Service
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 29 Aug 2008 12:07:12 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Dreambox DM500 Webserver Long URL Request Denial of Service
<http://www.dream-multimedia-tv.de/> Dreambox is "a Linux-based DVB
satellite, terrestrial and cable digital television decoder (set-top box),
produced by German multimedia vendor Dream Multimedia". Marc Ruef at scip
AG found an input validation error within the web interface of the model
DM500C. Other models, for example DM500S, might be affected too.
An attacker is able to send a very long http request string (approx. 512
bytes) to the web server which will cause a denial of service. The web
interface and some parts of the operating system might not be responsible
It is possible to exploit the vulnerability with a common web browser by
using a long url.
The http web server fingerprinting suite
<http://www.computec.ch/projekte/httprecon/> httprecon is able to
reproduce the problem too. Just use the test plugin get_long (activated by
The Attack Tool Kit ( <http://www.computec.ch/projekte/atk/> ATK) is able
to exploit this vulnerability with the following generic ASL code (expand
the long URL request):
open|send GET http://192.168.0.1/aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.# ### *
Because the attack is possible without further authentication, users with
access possibilities to the web server might affect the behavior of the
The web interface and some parts of the operating system are not
responsible anymore. A restart of the device is required to provide full
2008/04/28 Identification of the vulnerability by Marc Ruef
2008/04/30 First information to support-at-Dream-Multimedia-Tv.de
2008/04/30 Automated reply by the ticketing system (ticket id
2008/04/30 Manual response by Nils Weiberg announcing further
2008/05/22 Request for current state of investigation
2008/05/22 Another response by Nils Weiberg that the research is ongoing
2008/07/15 Last request for current state of investigation
2008/07/15 Another response by Nils Weiberg without further details
2008/08/29 Public disclosure of the advisory
The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Multiple Vulnerabilities in AWStats Totals
- Next by Date: [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
- Previous by thread: [UNIX] Multiple Vulnerabilities in AWStats Totals
- Next by thread: [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks