WebObjects DoS

[gdead () FORTNOCS COM (Bruce Potter)]

Howdy,
We've found a DoS in WebObjects apps (with a possible remote
exploit).  So far we've found this problem in
WebObjects 4.5 Developer running with the CGI-adapter
and IIS 4.0 on NT 4.0 SP5.  WO 4.5 Beta on Solaris 2.6 with
Netscape Enterprise isn't vulnerable.

Overview: If you send a large (4.1K) header variable to the
webobjects app it will core (fires up doctor watson).  This
may result in a remotely executable exploit as the user
running IIS, but I haven't taken the time to check

Implementation:  This worked on any app we tested it on,
including "empty" projects that did _nothing_.  Construct
a message as follows

POST /scripts/WebObjects.exe/EmptyProject HTTP/1.0
Accept: AAAAAAAAA....  (about 4.1K worth of A's)
Content-Length: 16

uselessdata=dork

That's it.  The app will die and fire up a doctor watson window.
> Fromour testing, it appears that as long as you have > 4.1K worth
of headers, the app will die (ie: you don't need to have all the
data in one variable).

We submitted this vulnerablity to Apple last week.  To their
credit they responded in a resonable timeframe.  According to the
testing done on their end, this DoS is only present when you use
a development license.  WO with deployment licenses are not
vulnerable.  Our deployment license is "in the mail" so we haven't
been able to test this.  Seems a bit odd to me being that you keep
the same software and just change the license key to "upgrade"
from devel to deploy... there's no new software installed.  We'll
see.

The Shmoo Group
http://www.shmoo.com
http://www.macsecurity.org