Bugtraq mailing list archives
Re: Sample DOS against the Sambar HTTP-Server
From: sreid () SEA-TO-SKY NET (Steve)
Date: Wed, 6 Oct 1999 12:34:41 -0700
On Mon, Oct 04, 1999 at 12:58:40AM -0000, Dennis Conrad wrote:
#!/usr/bin/perl ######### # Sample DOS against the Sambar HTTP-Server
[snip]
print $remote "GET " . "X" x 99999999999999999999 . " HTTP/1.0\n\n";
Using that many 9s on my version of Perl fails silently. The above seems equivalent to: print $remote "GET HTTP/1.0\n\n"; steve@grok:/home/steve% perl -e 'print "X"x99999999999999999999;' steve@grok:/home/steve% perl -e 'print "X"x99999999999999999999 || die;' Died at -e line 1. steve@grok:/home/steve% perl -v This is perl, version 5.005_03 built for i386-freebsd [etc.] I don't have a Sambar HTTP server to test against but it seems clear that the code won't work the way the author expected. Perl doesn't even try to build a string that long. If it did it would run out of memory and then fail. I conclude that the script as posted will not DoS the server even if it is vulnerable, unless a simple "GET HTTP/1.0" triggers the DoS. I suggest that until the nature of the DoS is clarified anyone using the script to test their own server should try it as-is, then try it with fewer 9s (probably 9999 or 99999, maybe more if it's a resource exhaustion DoS).
Current thread:
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Eric Griffis (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Jeff Long (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Valdis.Kletnieks () VT EDU (Oct 01)
- Team Asylum: iHTML Merchant (Follow-up) Team Asylum (Oct 01)
- RFP9903: AeDebug vulnerability .rain.forest.puppy. (Oct 01)
- Re: RFP9903: AeDebug vulnerability Matt (Oct 04)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Pavel Kankovsky (Oct 02)
- Buffer Overflows and Remote Root Exploits Crispin Cowan (Oct 02)
- (no subject) Dennis Conrad (Oct 03)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- Re: Sample DOS against the Sambar HTTP-Server Dennis Conrad (Oct 08)
- Re: Sample DOS against the Sambar HTTP-Server syz (Oct 09)
- Re: Sample DOS against the Sambar HTTP-Server Steve (Oct 06)
- <Possible follow-ups>
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Sep 30)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Casper Dik (Oct 01)
- RFP9904: TeamTrack webserver vulnerability .rain.forest.puppy. (Oct 02)
- Fix for ssh-1.2.27 symlink/bind problem Scott Gifford (Oct 02)
- Re: Fix for ssh-1.2.27 symlink/bind problem Eivind Eklund (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Toomas Kiisk (Oct 05)
- Re: Fix for ssh-1.2.27 symlink/bind problem Olaf Seibert (Oct 04)
- Re: Fix for ssh-1.2.27 symlink/bind problem Dan Astoorian (Oct 05)
- Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy] Dan Astoorian (Oct 01)