[UNIX] Dreambox DM500 Webserver Long URL Request Denial of Service



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Dreambox DM500 Webserver Long URL Request Denial of Service
------------------------------------------------------------------------


SUMMARY

<http://www.dream-multimedia-tv.de/> Dreambox is "a Linux-based DVB
satellite, terrestrial and cable digital television decoder (set-top box),
produced by German multimedia vendor Dream Multimedia". Marc Ruef at scip
AG found an input validation error within the web interface of the model
DM500C. Other models, for example DM500S, might be affected too.

DETAILS

An attacker is able to send a very long http request string (approx. 512
bytes) to the web server which will cause a denial of service. The web
interface and some parts of the operating system might not be responsible
anymore.

Exploit:
It is possible to exploit the vulnerability with a common web browser by
using a long url.

The http web server fingerprinting suite
<http://www.computec.ch/projekte/httprecon/> httprecon is able to
reproduce the problem too. Just use the test plugin get_long (activated by
default).

The Attack Tool Kit ( <http://www.computec.ch/projekte/atk/> ATK) is able
to exploit this vulnerability with the following generic ASL code (expand
the long URL request):
open|send GET http://192.168.0.1/aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.# ### *

Impact:
Because the attack is possible without further authentication, users with
access possibilities to the web server might affect the behavior of the
device.

The web interface and some parts of the operating system are not
responsible anymore. A restart of the device is required to provide full
functionality again.

Disclosure timeline:
2008/04/28 Identification of the vulnerability by Marc Ruef
2008/04/30 First information to support-at-Dream-Multimedia-Tv.de
2008/04/30 Automated reply by the ticketing system (ticket id
2008043010000466)
2008/04/30 Manual response by Nils Weiberg announcing further
investigation
2008/05/22 Request for current state of investigation
2008/05/22 Another response by Nils Weiberg that the research is ongoing
2008/07/15 Last request for current state of investigation
2008/07/15 Another response by Nils Weiberg without further details
2008/08/29 Public disclosure of the advisory


ADDITIONAL INFORMATION

The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:
<http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807>
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.