lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030405122148.4a6a6e0e.aluigi@pivx.com>
Date: Sat, 5 Apr 2003 12:21:48 +0000
From: Auriemma Luigi <aluigi@...x.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
 full-disclosure@...ts.netsys.com, list@...ield.org
Subject: Abyss X1 1.1.2 remote crash



#######################################################################

Application: Abyss Webserver (http://www.aprelium.com)
Versions:    X1 (v 1.1.2)
Platform:    Windows and Linux
Bug:         Crash caused by the reading of an unreacheable memory zone
Risk:        Remote crash
Author:      Auriemma Luigi
             e-mail: aluigi@...x.com
             web:    http://www.pivx.com/luigi/


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


#######################################################################

===============
1) Introduction
===============


Abyss is a very good free and tiny webserver that not only has a lot of
functions but it also run on both Win and Linux systems.

 

#######################################################################

======
2) Bug
======


As all the webservers in the world, Abyss read the HTTP fields ("Host:"
and "Referer:" for example) sent by the remote clients in their HTTP
requests.

Every HTTP field is followed by a value used for pass some parameters
to the webserver, like what browser we use, if we want that the current
connection remain alive for more seconds, if we wanna resume the
download of a file and much more.

The problem in Abyss X1 webserver happen when 2 fields passed by the
client are incomplete (without their values).

These fields are:
- "Connection:" used for specify if we want to break or continue the
  current connection with the server.
- "Range:" used for specify how many bytes and from what offset we want
  to start or continue the download of a file.

So instead of sending for example the field "Connection: close" the
attacker will send only "Connection:" without any value after it, and
now we will see what really happen in Abyss webserver when it receive
this malformed field.


When Abyss receive a request, it will read each HTTP field and every
value of eachone of these fields.
In the case of "Connection:" and "Range:" fields, the server not only
must read them but must also compare them with some default strings for
see what type of operation the client has choose (for example in case
of "Connection:", the server will compare its value with "close" or
"Keep-Alive").

The comparison made by the server is case insensitive and for make it
the server use the function strnicmp on Windows and strncasecmp on
Linux.

Now Abyss will simply pass the following arguments to the comparison
function:
1) address of the first string: this is the value that follow the HTTP
   field. This address will be 0x00000000 if the value doesn't exist.
2) address of the second string: this is the string we must compare for
   see if the first is equal or not ("Keep-Alive" for example).
3) number of chars to compare: this is equal to the size of the second
   string (the number of chars in "Keep-Alive" for example).


The following is a visual example of the usage of strnicmp function on
a Windows systems (don't worry it is the same on Linux too).
The example is just the vulnerable function on Abyss X1 (v1.1.2) that
calls strnicmp for compare the value of the "Connection:" field without
check if this value really exist and is stored in memory.

:0040E3EA 6A0A                    push 00A
:0040E3EC 68205E4100              push 00415E20
                      (StringData)"keep-alive"
:0040E3F1 FF7508                  push dword[ebp+08]
:0040E3F4 FF151C114100            call dword[0041111C ->0001205A _strnicmp]


Explanation:

:0040E3EA it pass 00A (= 10), it is the size of "keep-alive" (3)
:0040E3EC it pass the address of the string "keep-alive" (2)
:0040E3F1 it pass the address of the HTTP field value (1)
:0040E3F4 the program calls the strnicmp function


(At offset 0040E473 you can see the same thing for the "Range:" field)



And now the debugger or just only the disassembler will give us the
right explanation of the crash that we will see after sending one of
the 2 malformed HTTP fields to Abyss webserver:

On Windows the crash will happen at EIP 0x78013590 of MSVCRT.DLL that
is the function that reads the chars of the first string that is stored
in memory.
The Assembly instruction at that offset is "mov ah, [esi]", but
naturally ESI is NULL because DOESN'T exist the string in memory (the
attacker has not sent it!) and the program cannot read a zone of memory
located at 0x00000000.

Same thing happen on Linux that crash at EIP 0x42079db7, that is the
function strncasecmp.




#######################################################################

===========
3) The Code
===========


For test the bug try to send the following HTTP request:

--------------
GET / HTTP/1.0
Connection:


--------------

or 

--------------
GET / HTTP/1.0
Range:


--------------



#######################################################################

======
4) Fix
======


Version X1 v1.1.4 resolve the problem.



#######################################################################

=============
5) Philosophy
=============


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!


#######################################################################

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments  
(http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com


#######################################################################
 

Any type of feedback is really welcome!

Byez





--- 
PivX Bug Researcher
http://www.pivx.com/luigi/




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ