Apple Darwin Streaming Server Device Name DoS

2003-07-22T20:39:31
ID OSVDB:2327
Type osvdb
Reporter Rapid7 Security Advisories(advisory@rapid7.com)
Modified 2003-07-22T20:39:31

Description

Vulnerability Description

Darwin Streaming Server contains a flaw that allows a remote attacker to crash the service. The issue is due to the web server not properly handling requests that contain a DOS device name (such as AUX). If an attacker requests such a URL, the service will terminate.

Solution Description

Upgrade to version 4.1.3g or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Darwin Streaming Server contains a flaw that allows a remote attacker to crash the service. The issue is due to the web server not properly handling requests that contain a DOS device name (such as AUX). If an attacker requests such a URL, the service will terminate.

Manual Testing Notes

telnet [victim] 1220 GET /AUX HTTP/1.0

References:

Vendor URL: http://www.apple.com/ Vendor Specific Solution URL: http://developer.apple.com/darwin/projects/streaming/ Related OSVDB ID: 4224 Related OSVDB ID: 4225 Related OSVDB ID: 4227 Related OSVDB ID: 4228 Related OSVDB ID: 4226 Related OSVDB ID: 4223 Other Advisory URL: http://www.rapid7.com/advisories/R7-0015.html Keyword: Port 1220 CVE-2003-0421