SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   WEBsweeper Vendors:   Baltimore Technologies
Websweeper From Baltimore Technologies Can Be Crashed Remotely Because It Does Not Limit The Size of Web Requests
SecurityTracker Alert ID:  1001066
SecurityTracker URL:  http://securitytracker.com/id/1001066
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 4.0 for Windows NT
Description:   Defcom Labs reported a denial of service vulnerability in the Websweeper content security application from Baltimore Technologies in which an attacker can readily cause the application to consume all available memory and crash.

By sending a long HTTP request through the Websweeper application, it is possible to cause it to consume all available memory on the server and eventually have the operating system kill the process. There is no ability to limit the size of HTTP requests.

Impact:   An attacker could remotely cause the Websweeper application to consume all virtual memory and crash.
Solution:   No solution was available at the time of this entry. The vendor reportedly suggests placing a firewall in front of the Websweeper application.
Vendor URL:  www.mimesweeper.com/products/websweeper/default.asp (Links to External Site)
Cause:   Resource error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Proof-of-Concept Exploit Code) Re: Websweeper From Baltimore Technologies Can Be Crashed Remotely Because It Does Not Limit The Size of Web Requests
Helios Security and Administration has released proof-of-concept demonstration code for this vulnerability.



 Source Message Contents

Subject:  def-2001-10: Websweeper Infinite HTTP Request DoS


======================================================================
                  Defcom Labs Advisory def-2001-10

                Websweeper Infinite HTTP Request DoS

Release Date: 2001-03-08
======================================================================
------------------------=[Brief Description]=-------------------------
The Websweeper application from Baltimore Technologies is vulnerable
to a Denial of Service attack. Malicious usage can lead to the
application crashing.

------------------------=[Affected Systems]=--------------------------
- Websweeper 4.0 for Windows NT

----------------------=[Detailed Description]=------------------------
By sending an infinitely long HTTP request through the Websweeper
application, it is possible to cause it to consume all available
memory on the server and eventually have the operating system kill
the process.

The term "infinitely long HTTP request" needs some clarification, as
it is not really a request, because it is never issued. The point is
to use up all available buffer memory in the application, and if
this buffer is not restricted, cause the application to be killed
by the operating system.

The concept works on a lot of HTTP applications, and the idea came
from reading one of Marc Maiffrets posts to Bugtraq and this really
goes far beyond just the Websweeper application.

what you do in practice is this:

GET / HTTP/1.0
Host: www.foo.org
referrer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................

And keep filling in a's. The HTTP request will then be buffered and
the a's will be pushed to the application and memory will be allocated
to handle the beginning request. Some HTTP applications will restrict
the size of HTTP requests, like IIS/4.0 (2MB), but that can be
bypassed by opening up eg. 500 connections. 500x2 = 1000Mb.

This is all terribly generalized, as some applications handle these
attacks quite well, but a lot of them do not. Eg. IIS/5.0 handles it
rather well, as the maxhttprequest size here is around 148Kb.

---------------------------=[Workaround]=-----------------------------
None known, the vendor suggest placing a firewall infront of the
websweeper application.

-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted February 27th, 2001 and replied:

"Unfortunately it is not possible to legislate for all deliberate
attacks. If a client program wilfully sends a large number of
malformed requests and holds the connections open, the request data
will fill up the memory and eventually you will run out of virtual
memory.

Under normal situations this will not be an issue, except where
Internal Users pose a significant security risk to your system. In
these situations alternative low-level packet security software such
as firewalls may need to be considered.

Nonetheless the wider issues of what can be done to minimise exposure
to hacking is with Engineering and they are always striving to make
our products as secure and robust as possible. Thank you for your
comments on this issue."

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC