Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   3DM Disk Management Utility Vendors:   3ware
3ware 3DM Disk Management Utility Web Daemon Bugs Let Remote Users Crash the Software
SecurityTracker Alert ID:  1006024
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 30 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s):; Possibly others
Description:   A denial of service vulnerability was reported in the 3ware 3DM Disk Management Utility. A remote user can cause the server to crash.

It is reported that a remote user can connect to the 3DM web server on port 1080 and send bogus data in certain HTTP fields to cause the web server daemon to crash. A demonstration exploit is provided:

GET / HTTP/1.1
Host: foo
Accept-Charset: bar

It is also reported that a remote user can send cookies to the server to cause the server to crash. This can reportedly create operational difficulties if the site uses domain-wide cookies.

Another user (Jason Giglio) confirmed that conducting a Nessus scan against version will cause the server to crash.

Impact:   A remote user can cause the web server process to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  3Ware 3DM denial of service attack

I've reported this to 3ware at least twice, and never received any
response. Previously I didn't have a test case other than "run a nessus
scan against the host". I've narrowed it down to a reproducible minimum
test case now.

If you connect to 3dm port 1080 on either linux or windows and send:

GET / HTTP/1.1
Host: foo
Accept-Charset: bar

3dm server will terminate immediately.

Other 3dm problems - it flips out and refuses to accept a login if you
have ANY cookies sent. This screws you over if you have a sitewide cookie for example. 

-- Nathan

Nathan Neulinger                       EMail:
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC