lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040615073952.GG10059@bumboclaat.ebat.org>
From: jethro at docisland.org (Jerome)
Subject: [ESA-1] Denial of Service in thy


see attached advisory.

-- 
Jerome
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353  8ECB CEAF 6A0A 33D7 802F]
-------------- next part --------------
Ebat Advisory #01
-----------------
NULL Pointer dereference Denial of Service in Thy httpd
----

date: 15/06/04
author: jethro 
		- securirynerds
		- docisland
		- ebat
----


Overview:
---------

Thy is a lightweight and fast http daemon. A denial of
service condition can occur when the daemon is sent a 
crafted request. A manual restart is needed in order to 
recover the denial of service.

homepage: http://bonehunter.rulez.org/Thy.phtml

Vulnerable versions:
--------------------

All versions prior to 0.9.2 are vulnerable.

Severity:
---------

The Dos condition is fairly easy to achieve, but no threat of code 
execution upon exploitation of this vulnerability has been raised.

Recommandation:
---------------
Upgrade to thy 0.9.2 or apply this fix:

--- src/session.c
+++ src/session.c
@@ -127,7 +127,7 @@
	free (session->request->host);
	session->request->host = bhc_strdup (&tmp1[7]);
	free (session->request->url);
	-      session->request->url = NULL;
	+      session->request->url = bhc_strdup ("/");
	}
 }


Technical Details:
------------------

The vulnerability is triggered in session.c, through session_update():

(from src/session.c)

void
session_update (session_t *session)
{
  session->request = (request_t *)bhc_malloc (sizeof (request_t));

  session->result = http_request_parse (session->request,
                                        session->body.buffer);
  if (session->request->url)
    { 
      asprintf (&session->absuri, "http%s://%s%s",
                (session->ssl) ? "s" : "",
                session->request->host, session->request->url);
      _session_parse_absoluteuri (session);
      urldecode (session->request->url); <---
      cgi_setup (session); <---
      session->request->file = fabs_urlmap (session->request->url,
                                            session->request->host,
                                            session->absuri);
[...]



having a look at _session_parse_absoluteuri, we can spot the problem:

(from src/session.c)
static void
_session_parse_absoluteuri (session_t *session)
{
  char *tmp1, *tmp2;

  if (!session->request->url)
    return;

  if (strncmp ("http://", session->request->url, 7))
    return;

  tmp1 = strstr (session->request->url, "http://");
  tmp2 = bhc_strdup (strchr (&tmp1[7], '/')); <----
  if (tmp2)
    { 
      size_t l = strlen (tmp1);
      tmp1[l - strlen (tmp2)] = 0;
      free (session->request->host);
      session->request->host = bhc_strdup (&tmp1[7]);
      free (session->request->url);
      session->request->url = tmp2;
    }
  else
    { 
      free (session->request->host);
      session->request->host = bhc_strdup (&tmp1[7]);
      free (session->request->url);
      session->request->url = NULL;
    }
}

thy does expect a trailing / when parsing an absolute uri, and if no
one is set, tmp2 will feed session->request->url with a NULL value.
Later on, in urldecode

(from src/misc.c)
/** Decode URL in-place.
 */
void
urldecode (char *url)
{
  char *p = url;

  while (*p) <----
    { 
      if (*p == '%')
        { 
          *url = _misc_hextochar ((int)*(p+1), (int)*(p+2));
          p += 2;
        }
      else
        *url = *p;

      p++;
      url++;
    }
  *url = '\0';
}


if url is undefined, then *p won't be either, so while (*p) will
cause thy to segv.

Disclosure Timeline:
--------------------

14/06 - 18h - 
found the vuln in the RER (train for the suburbs near paris) while
trying some fancy tool I just wrote.
14/06 - 19h - 
went on #debian so as to find some clues about reporting incidents
to the debian project
14/06 - 19h30 -
dropped an email to security officer team @ debian .org
12/06 - 19h35 -
got an answer by mdz, redirecting me to debian maintainer and upstream
author
14/06 - 20h -
starting idling on #thy @ oftc.net, waiting for algernon.
15/06 - 00h -
finaly cought up with algernon, told him about the vuln, and stuff.
15/06 - 01h -
after a few more investigation, writing of this advisory.


Thanks to algernon for his quickness.

About Ebat:
-----------
E-bat is a non profit organisation which aims at helping clueless
amongst us feeling less stupid.
Thanks to oci@, ski@, tfo@, lbe@, and others.
We have no official website to provide you with anything, but who cares.
We'll keep the arm in the concrete!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040615/322ebc37/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ