From peter.grundl@DEFCOM.COM Thu Mar 8 12:22:59 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 8 Mar 2001 15:04:20 +0100 Subject: [BUGTRAQ] def-2001-10: Websweeper Infinite HTTP Request DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-10 Websweeper Infinite HTTP Request DoS Author: Peter Gründl Release Date: 2001-03-08 ====================================================================== ------------------------=[Brief Description]=------------------------- The Websweeper application from Baltimore Technologies is vulnerable to a Denial of Service attack. Malicious usage can lead to the application crashing. ------------------------=[Affected Systems]=-------------------------- - Websweeper 4.0 for Windows NT ----------------------=[Detailed Description]=------------------------ By sending an infinitely long HTTP request through the Websweeper application, it is possible to cause it to consume all available memory on the server and eventually have the operating system kill the process. The term "infinitely long HTTP request" needs some clarification, as it is not really a request, because it is never issued. The point is to use up all available buffer memory in the application, and if this buffer is not restricted, cause the application to be killed by the operating system. The concept works on a lot of HTTP applications, and the idea came from reading one of Marc Maiffrets posts to Bugtraq and this really goes far beyond just the Websweeper application. what you do in practice is this: GET / HTTP/1.0 Host: www.foo.org referrer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa................. And keep filling in a's. The HTTP request will then be buffered and the a's will be pushed to the application and memory will be allocated to handle the beginning request. Some HTTP applications will restrict the size of HTTP requests, like IIS/4.0 (2MB), but that can be bypassed by opening up eg. 500 connections. 500x2 = 1000Mb. This is all terribly generalized, as some applications handle these attacks quite well, but a lot of them do not. Eg. IIS/5.0 handles it rather well, as the maxhttprequest size here is around 148Kb. ---------------------------=[Workaround]=----------------------------- None known, the vendor suggest placing a firewall infront of the websweeper application. -------------------------=[Vendor Response]=-------------------------- The Vendor was contacted February 27th, 2001 and replied: "Unfortunately it is not possible to legislate for all deliberate attacks. If a client program wilfully sends a large number of malformed requests and holds the connections open, the request data will fill up the memory and eventually you will run out of virtual memory. Under normal situations this will not be an issue, except where Internal Users pose a significant security risk to your system. In these situations alternative low-level packet security software such as firewalls may need to be considered. Nonetheless the wider issues of what can be done to minimise exposure to hacking is with Engineering and they are always striving to make our products as secure and robust as possible. Thank you for your comments on this issue." ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================