MiniWeb DoS PoC Exploit

So, cialis quite a while ago, I was fuzzing the MiniWeb Server available from Google Code – Miniweb after I realized that WinCC/SCADA systems also seem to use this web server. (Does this make Siemens in violation of the GPL?).

I had been using one of Metasploits fuzzers, check and noticed an instant crash it was causing, so I started trying to replicate it.

After enlisting the help of ohdae from BindShell Labs, we were able to figure out the crash was caused by the “Content-Length: -10″ part of the malicious HTTP Header, sovaldi basically, it chokes on that and dies. I had been convinced it was something to do with malicious POST data, but thanks to ohdae, that was quickly changed.

After a lot more debugging and playing about, I learned that someone else had gotten to this bug first, and it was not a 0day after all. I also had just about given up on getting remote code execution from this vulnerability.

The original advisory can be found here: http://aluigi.altervista.org/adv/winccflex_1-adv.txt

Anyways, on to the fun stuff. So, here is what GDB looks like when the exploit is ran…

root@bt:~/fuzzme/SCADA# gdb
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type “show copying”
and “show warranty” for details.
This GDB was configured as “i486-linux-gnu”.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) exec-file SCADA
(gdb) run
Starting program: /root/fuzzme/SCADA/SCADA
MiniWeb 0.8.180 (C)2005-09 Stanley Huang (C)2010 Stanley Huang / Felix Wang

Listening port: 80
Web root: webroot
Max clients: 32
URL handlers: 1
Dir listing: on
[6] connection accepted @ May 31 16:15:34
[6] IP: 127.0.0.1
Connected clients: 1

Program received signal SIGSEGV, Segmentation fault.
0x0804c76b in ?? ()
(gdb) info registers
eax            0x0    0
ecx            0x1    1
edx            0xfffffff6    -10
ebx            0x8052718    134555416
esp            0xbffff2c0    0xbffff2c0
ebp            0xbffff318    0xbffff318
esi            0x0    0
edi            0x804f3fa    134542330
eip            0x804c76b    0x804c76b
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

And here is a screenshot of my exploit killing the server…
MiniWeb WinCC Denial of Service

Finally, to wrap things up, the PoC Exploit: http://pastebin.com/9EW96xGY

~Infodox

One thought on “MiniWeb DoS PoC Exploit

  1. Hi Darren,

    Thank you for taking a look at Miniweb, at this point it looks to us as it might be not the Siemens Miniweb you tested. We also did several tests with your exploit code. Please see our website for contact details and shoot us an email so we can work with you to verify this.

    Thanks for your cooperation,
    Thomas from Siemens ProductCERT

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>