lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031201125726.0d21441a.aluigi@altervista.org>
Date: Mon, 1 Dec 2003 12:57:26 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Surfboard <= 1.1.8 vulns



#######################################################################

                             Luigi Auriemma

Application:  Surfboard webserver
              http://surfd.sourceforge.net
Versions:     <= 1.1.8
Platforms:    *nix
Bugs:         possibility to view all the files in the system and
              resources consumption
Risk:         medium/high
Exploitation: remote/easy
Date:         01 Dec 2003
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From the website:
"Surfboard is a trivial web server, written by Meredydd Luff."



#######################################################################

=======
2) Bugs
=======


Directory traversal
-------------------

The webserver checks the dot-dot pattern only if there is a '?' in the
URI (used for server side scripts), so there is no protection for the
classical directory traversal exploitation.
Note: fortunally the webserver doesn't support indexing of directories
and the version 1.0 is not affected by this bug.



Resource consumption
--------------------

The webserver uses a strange method to read the browser's input: it
does a loop until it receives a second line-feed.
Unfortunally the webserver doesn't check for errors so if the client
breaks the connection it will enter in an infinite loop and the process
(the webserver uses fork()) will be never terminated.




#######################################################################

===========
3) The Code
===========


Directory traversal
-------------------

http://server/../etc/passwd
http://server/../../../etc/passwd



Resource consumption
--------------------

Connect to the server with telnet or netcat and then close the
connection (without sending data).




#######################################################################

======
4) Fix
======


I have alerted the author a week ago, however patching the webserver is
very simple. The following patch can be applied to the 1.1.8 version:


--- surfboard.c 2001-04-11 19:23:36.000000000 +0000
+++ 1.c 2003-11-27 18:38:28.000000000 +0000
@@ -155,7 +155,7 @@
     */
     while(1)
     {
-      while(read(s, &c, 1)<1);
+      if(read(s, &c, 1)<1) break;
       if(c=='\r') { continue; }
       if(c=='\n' && oldc=='\n') { break; }
       oldc=c;
@@ -167,7 +167,7 @@
   sprintf(buf, "Asked for %s", rawreq);
   log_msg(LOG_DEBUG, buf);
 
-  if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
"`")<strstr(rawreq, "?"))
+  if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
"..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
   {
     log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK ATTEMPT");
     add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");


Details:
1) the reading loop will be terminated if we find an error
2) we check also the presence of the dot-dot pattern if there is no
   '?' in the URI



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ