[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030924113907.0a252b87.aluigi@altervista.org>
Date: Wed, 24 Sep 2003 11:39:07 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: NULLhttpd <= 0.5.1 remote resources consumption
#######################################################################
Luigi Auriemma
Application: NULLhttpd
http://nullhttpd.sourceforge.net/httpd/
Versions: <= 0.5.1
Platforms: All supported (Win & Unix)
Bug: Remote resources consumption
Risk: Medium
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.
#######################################################################
======
2) Bug
======
This is a type of bug that I like a lot.
Usually the causes are unchecked return values from recv() and select()
functions that let the vulnerable server to enter in an infinite loop
if it waits a specific amount of data and the client closes the
connection before sending all the requested bytes.
The effects are:
- CPU at 100%: caused by the loop that calls recv() and/or select()
infinitely
- memory consumption: if the server receives data from the client, the
memory used will not be unallocated because the request (seen by the
server) is still active
- other resources used: processes, other memory and moreover sockets
As said before, the bug happens when the server waits data so the
attacker must use the POST command with the Content-Length parameter.
The following is a practical example:
------------------
POST / HTTP/1.0
Content-Length: 10
123456789
------------------
So the client "says" that it will send (for example) 1 megabyte, but
then it will send 1 megabyte less 1 byte (and this is the memory that
will be occupied in the server).
After some connections the server will finish all the available sockets
and will be unreacheable.
#######################################################################
===========
3) The Code
===========
The code is for *nix and Win and lets you to choose how many kilobytes
to eat for each connection and the number of connections to do:
http://aluigi.altervista.org/poc/webpostmem.zip
#######################################################################
======
4) Fix
======
No fix.
The author has been contacted over 10 days before but I have not
received an answer until now.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists