def-2001-10: Websweeper Infinite HTTP Request DoS

[Peter Gründl <peter.grundl () DEFCOM COM>]

======================================================================
                  Defcom Labs Advisory def-2001-10

                Websweeper Infinite HTTP Request DoS

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-03-08
======================================================================
------------------------=[Brief Description]=-------------------------
The Websweeper application from Baltimore Technologies is vulnerable
to a Denial of Service attack. Malicious usage can lead to the
application crashing.

------------------------=[Affected Systems]=--------------------------
- Websweeper 4.0 for Windows NT

----------------------=[Detailed Description]=------------------------
By sending an infinitely long HTTP request through the Websweeper
application, it is possible to cause it to consume all available
memory on the server and eventually have the operating system kill
the process.

The term "infinitely long HTTP request" needs some clarification, as
it is not really a request, because it is never issued. The point is
to use up all available buffer memory in the application, and if
this buffer is not restricted, cause the application to be killed
by the operating system.

The concept works on a lot of HTTP applications, and the idea came
from reading one of Marc Maiffrets posts to Bugtraq and this really
goes far beyond just the Websweeper application.

what you do in practice is this:

GET / HTTP/1.0
Host: www.foo.org
referrer: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.................

And keep filling in a's. The HTTP request will then be buffered and
the a's will be pushed to the application and memory will be allocated
to handle the beginning request. Some HTTP applications will restrict
the size of HTTP requests, like IIS/4.0 (2MB), but that can be
bypassed by opening up eg. 500 connections. 500x2 = 1000Mb.

This is all terribly generalized, as some applications handle these
attacks quite well, but a lot of them do not. Eg. IIS/5.0 handles it
rather well, as the maxhttprequest size here is around 148Kb.

---------------------------=[Workaround]=-----------------------------
None known, the vendor suggest placing a firewall infront of the
websweeper application.

-------------------------=[Vendor Response]=--------------------------
The Vendor was contacted February 27th, 2001 and replied:

"Unfortunately it is not possible to legislate for all deliberate
attacks. If a client program wilfully sends a large number of
malformed requests and holds the connections open, the request data
will fill up the memory and eventually you will run out of virtual
memory.

Under normal situations this will not be an issue, except where
Internal Users pose a significant security risk to your system. In
these situations alternative low-level packet security software such
as firewalls may need to be considered.

Nonetheless the wider issues of what can be done to minimise exposure
to hacking is with Engineering and they are always striving to make
our products as secure and robust as possible. Thank you for your
comments on this issue."

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================