Kojoney 0.0.4.1 Denial Of Service

2010-02-25T00:00:00
ID PACKETSTORM:86688
Type packetstorm
Reporter Nicob
Modified 2010-02-25T00:00:00

Description

                                        
                                            `  
[=] Affected software :   
  
Name : Kojoney  
Description : Low interaction SSH honeypot  
Version : < 0.0.4.2  
Service : TCP/22  
  
[=] Patched version :   
  
http://sourceforge.net/projects/kojoney/files/kojoney-0.0.4.2.tar.gz/download  
  
[=] Technical details :   
  
Emulation of the wget and curl commands is made via calls to  
urllib.urlopen(url). The only sanity check is the following :  
  
if url.find("://") == -1:  
url = "http://" + url  
  
This will catch some attempts to access local files like  
"file:/etc/hosts" but requesting "file://localhost/foo/bar" is still  
possible.  
  
Under Linux, this can be used to access "file://localhost/dev/urandom".  
The kojoney.py process will then use 100% of CPU and will grow in  
memory, until killed by the kernel OOM Killer.  
  
[=] Note :  
  
When exploiting urlopen() related vulnerabilities in Python  
applications, some little known features can come handy :  
  
data://,HelloWorld  
=> returned value is "HelloWorld"  
  
data:text;base64,WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=://a  
=> returned value is the EICAR test string  
  
And yes, these strings too bypass the "://" Kojoney check ;-)  
  
Nicob   
`