SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
Xitami Web Server Can Be Crashed By Remote Users Opening Multiple Concurrent Sessions
SecurityTracker Alert ID:  1004971
SecurityTracker URL:  http://securitytracker.com/id/1004971
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.5b5
Description:   A denial of service vulnerability was reported in the Xitami web server. The server does not properly handle large numbers of connections, creating denial of service conditions.

It is reported that the error occurs after the server receives a large number of concurrent sessions, resulting in the following observed behavior:

1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes

The crash is reportedly a Microsoft Visual C++ Runtime Error that is triggered in XIWIN32.EXE. It may be due to the server failing to "clean up" resources associated with connections that are broken or have been closed. According to the report, the bug may be related to the handling of Keep-Alive connections and the failure to close them.

Impact:   A remote user can cause the server to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xitami.com/ (Links to External Site)
Cause:   Resource error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Fri, 2 Aug 2002 17:27:33 -0500
Subject:  Xitami Connection Flood Server Termination Vulnerability


Affected Systems
------------------
The vulnerability was discovered on Xitami 2.5b5 for Win32,
so this may (not) be a Win32-specific issue.  No data has been
collected on other versions, so such a determination would be
purely speculation and therefore not helpful to those running
potentially vulnerable systems.

The Problem
-------------
Xitami 2.5b5 is the latest (Beta) version of iMatix' flagship
web server.  It appears to be handling large numbers of
connections in an erratic manner.

The end result of this problem is a denial of service issue
resulting from a runtime error in the server process.  The
vulnerability appears to occur after the server exceeds
its maximum number of concurrent sessions:

1) Service Unavailable error
2) 500 Internal error response
3) Blank document is returned
4) Ignores session request
5) Server crashes (DOH!)

When the fifth stage of service issues is reached Xitami
dies due to a Microsoft Visual C++ Runtime Error, an
abnormal program termination inside XIWIN32.EXE
has occurred.  The message is *not* followed by any
Win32 exception dialog.

The Workaround
------------------
The solution for Beta users is to simply stop limiting the
maximum number of HTTP sessions at once, although
this may cause performance issues.

Exploitation
------------
Simply making quick moves around the vulnerable site
can result in successful exploitation of the vulnerability.
It should be noted that browser-based exploitation will
require extensive use of the back button when reaching
the more extensive stages of service failure.

Other Notes
-------------
Unlike some server crashes, the service process will
*not* recover from the crash caused by the attack.

Successful exploitation of this vulnerability will be 
extensively logged, as it would require multiple sessions,
and in the event of a browser-based attack, would
require multiple requests per session on a Keep-Alive
connection.

The term "attack" is used rather loosely, as a quick
series of jumps, especially by a large number of users,
could bring the system down without malicious intent,
although the very high level of speed necessary for
this attack is not likely to occur unless widely-spread
between several users.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC