Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Null httpd Can Be Crashed By Remote Users Sending Incomplete HTTP POST Requests
|
|
SecurityTracker Alert ID: 1007802
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 24 2003
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 0.5.1
|
Description: Some vulnerabilities were reported in Null httpd. A remote user can cause the target HTTP service to fail to respond. A remote user can also conduct cross-site scripting attacks.
It is reported that a remote user can sumbit an HTTP POST request with content that is smaller than the value specified as the Content-Length
to cause the server to wait for the remaining data. If the remote user submits several very large requests in this manner, the
target server will exhaust available sockets and become unreachable. This may also cause CPU usage to reach 100% and all available
memory to be consumed, the report said.
Some demonstration exploit code is available at:
http://aluigi.altervista.org/poc/webpostmem.zip
It
is also reported that a remote user can supply a specially crafted HTTP GET request that will bypass the target server's protections
against cross-site scripting attacks. If the request is longer than 1799 bytes, the server will display part of the user-supplied
request (including any HTML scripting code) as part of an error message. As a result, a remote user can create a specially crafted
URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code
will originate from the site running the vulnerable Null httpd server and will run in the security context of that site. As a result,
the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A
demonstration exploit HTML file is available at:
http://aluigi.altervista.org/nullhttpd051-xss.htm
The vendor has reportedly
been notified without response.
|
Impact: A remote user can cause the HTTP service to become unavailable and cause excessive CPU and memory resources to be consumed on the
target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with
the site running Null httpd, access data recently submitted by the target user via web form to the site, or take actions on the
site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: nullhttpd.sourceforge.net/httpd/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Luigi Auriemma <aluigi@altervista.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Sep 2003 11:39:07 +0000
From: Luigi Auriemma <aluigi@altervista.org>
Subject: NULLhttpd <= 0.5.1 remote resources consumption
|
#######################################################################
Luigi Auriemma
Application: NULLhttpd
http://nullhttpd.sourceforge.net/httpd/
Versions: <= 0.5.1
Platforms: All supported (Win & Unix)
Bug: Remote resources consumption
Risk: Medium
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.
#######################################################################
======
2) Bug
======
This is a type of bug that I like a lot.
Usually the causes are unchecked return values from recv() and select()
functions that let the vulnerable server to enter in an infinite loop
if it waits a specific amount of data and the client closes the
connection before sending all the requested bytes.
The effects are:
- CPU at 100%: caused by the loop that calls recv() and/or select()
infinitely
- memory consumption: if the server receives data from the client, the
memory used will not be unallocated because the request (seen by the
server) is still active
- other resources used: processes, other memory and moreover sockets
As said before, the bug happens when the server waits data so the
attacker must use the POST command with the Content-Length parameter.
The following is a practical example:
------------------
POST / HTTP/1.0
Content-Length: 10
123456789
------------------
So the client "says" that it will send (for example) 1 megabyte, but
then it will send 1 megabyte less 1 byte (and this is the memory that
will be occupied in the server).
After some connections the server will finish all the available sockets
and will be unreacheable.
#######################################################################
===========
3) The Code
===========
The code is for *nix and Win and lets you to choose how many kilobytes
to eat for each connection and the number of connections to do:
http://aluigi.altervista.org/poc/webpostmem.zip
#######################################################################
======
4) Fix
======
No fix.
The author has been contacted over 10 days before but I have not
received an answer until now.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
