Advisory: Moby NetSuite POST Denial of Service Vulnerability Moby NetSuite is an HTTP/SMTP package designed for simplicity. It supports CGI, including POST form submissions. A vulnerability in the POST handler could lead to denial of service against the server. When faced with a POST request, NetSuite allocates a buffer according to the incoming Content-Length header, reads in that number of bytes, and passes them on as the CGI process' STDIN stream. The value for the number of bytes read is returned from an atoi() call. When the header's value is too large to fit in an integer value, or is not numeric, the atoi() library call leaves the variable in its previous state. In this case, the variable is undefined, as it has no data before the length is determined. An sprintf() call that occurs while creating the CGI environment for the child then attempts to read the undefined data, resulting in an access violation. Restart of services is required to regain normal functionality. Example: [Begin Session] POST /cgi-bin/test.cgi HTTP/1.0 Content-Length: 111111111111111111111111111 A [End Session] NetSuite crashes within seconds with an access violation: illegal use of un-initialized data variable. http://www.techie.hopto.org/bug.php?2002-48 (Write-Up) http://www.techie.hopto.org/exploits.php?moby (Exploit code in HTML form) http://www.techie.hopto.org/getexpl.php?moby (Exploit code in downloadable form)
