TUCoPS :: Web :: Servers :: web5305.htm

LabVIEW Web Server DoS vulnerability due to malformed HTTP command
24th Apr 2002 [SBWID-5305]
COMMAND

	LabVIEW Web Server DoS vulnerability due to malformed HTTP command

SYSTEMS AFFECTED

	5.1.1 - 6.1

PROBLEM

	Steve   Zins   [http://www.ilabview.com]   posted   following   advisory
	regarding LabVIEW web  server,  an  integrated  development  system  for
	creating LabVIEW programs, which are called Virtual Instruments or  VIs.
	The LabVIEW application can run, or host, VIs in  its  own  environment.
	The  LabVIEW  application  can  also  host  its  own  Internet  servers,
	including an HTTP or Web server. LabVIEW also  has  extensive  libraries
	to interface with real-world test and measurement equipment, as well  as
	mechanical motion control and process control equipment.
	

	When the malformed HTTP request  described  below  is  received  by  the
	LabVIEW Web Server, the entire LabVIEW  application  crashes,  including
	the Web Server, and  any  other  LabVIEW  programs,  or  VIs,  that  are
	running in the application environment. This  amounts  to  a  Denial  of
	Service attack,  not  only  on  the  web  server,  itself,  but  on  any
	processes hosted in the  LabVIEW  application.  LabVIEW  VIs  performing
	real-world processes could be interrupted by this type of attack.
	

	National Instruments has confirmed this  exploit  and  has  published  a
	response in their KnowledgeBase, referenced below. This states that  the
	crash will occur only when web server logging is enabled.
	

	While this is demonstrably a Denial of Service vulnerability,  it  might
	also be exploitable with a buffer overflow attack.
	

	 EXPLOIT

	 =======

	

	The  LabVIEW  Web  Server  crashes  when  it  processes  the   following
	malformed HTTP request:
	

	

	      GET\\s/\\sHTTP/1.0\\n\\n

	

	

	This request is malformed because RFC 1945 for HTTP 1.0  specifies  that
	header lines should be separated by CRLF (\\r\\n), not just LF (\\n)  as
	shown here. The header should be ended by two adjacent  CRLF  sequences.
	But a server should not crash when it processes this sequence.
	

	The server crashes only when the Web Server logging is disabled.
	

	

	 REFERENCES

	 ==========

	

	

	National Instruments - http://www.ni.com/

	LabVIEW - http://sine.ni.com/apps/we/nioc.vp?cid=1381&lang=US

	National Instruments KnowledgeBase notification -

	http://digital.ni.com/public.nsf/websearch/4C3F86E655E5389886256BA00064B22F?

	OpenDocument

	

	

SOLUTION

	 Workaround

	 ==========

	

	Disable web server logging.
	

	I strongly recommend that (1) LabVIEW  Web  Servers  be  run  only  with
	logging disabled and that (2) any LabVIEW application that is running  a
	LabVIEW Web  server  does  not  also  run  processes  that  could  cause
	real-world damage if interrupted.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH