TUCoPS :: Web :: Apps :: wobjects.htm

WebObjects with development licence DoS, possible remotely execu8table exploit
Vulnerability

    WebObjects

Affected

    WO with development licence

Description

    Bruce Potter found following.   He found a DoS in  WebObjects apps
    (with a possible remote exploit).  So far we've found this problem
    in WebObjects 4.5 Developer  running with the CGI-adapter  and IIS
    4.0 on  NT 4.0  SP5.   WO 4.5  Beta on  Solaris 2.6  with Netscape
    Enterprise isn't vulnerable.

    If you send a large  (4.1K) header variable to the  webobjects app
    it will  core (fires  up doctor  watson).   This may  result in  a
    remotely executable  exploit as  the user  running IIS,  but Bruce
    hasn't taken the time to check.

    This  worked  on  any  app  we  tested  it  on,  including "empty"
    projects that did _nothing_.  Construct a message as follows

        POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0
        Accept: AAAAAAAAA....  (about 4.1K worth of A's)
        Content-Length: 16

        uselessdata=dork

    That's it.  The app will  die and fire up a doctor  watson window.
    From testings, it appears  that as long as  you have > 4.1K  worth
    of headers, the app will die  (ie: you don't need to have  all the
    data in one variable).

Solution

    Bruce submitted this  vulnerablity to Apple  last week.   To their
    credit they responded in a resonable timeframe.  According to  the
    testing done on their end, this  DoS is only present when you  use
    a  development  license.   WO  with  deployment  licenses  are not
    vulnerable.  Our deployment license is "in the mail" so we haven't
    been able to test this.  Seems a bit odd to me being that you keep
    the same  software and  just change  the license  key to "upgrade"
    from devel to deploy... there's no new software installed.   We'll
    see.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH