[UNIX] Surfboard HTTPd Directory Traversal and DoS Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 12/03/03

  • Next message: SecuriTeam: "[UNIX] Userland Can Access Linux Kernel Memory (do_brk() Argument Bound Checking)" 
    To: list@securiteam.com
Date: 3 Dec 2003 17:54:17 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Surfboard HTTPd Directory Traversal and DoS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://sourceforge.net/projects/surfd/> Surfboard is "a small, simple
    HTTPd designed to be set up in a minimum of time and with a minimum of
    fuss. CGI is supported, and so are custom CGI handlers for various file
    extensions (e.g. .PHP - yes, it works!) POST support is not there, but in
    the works". Two vulnerabilities in the product have been found, allowing
    attackers to view files that reside outside the bounding HTML root
    directory, and to cause the server to consume large amount of CPU time.

    DETAILS

    Vulnerable systems:
     * Surfboard HTTPd version 1.1.8 and prior

    Directory Traversal
    The web server checks the dot-dot pattern only if there is a '?' in the
    URI (used for server side scripts), so there is no protection for the
    classical directory traversal exploitation. Note: fortunately the web
    server doesn't support indexing of directories and the version 1.0 is not
    affected by this bug.

    Resource Consumption
    The web server uses a strange method to read the browser's input: it does
    a loop until it receives a second line-feed. Unfortunately the web server
    doesn't check for errors so if the client breaks the connection it will
    enter in an infinite loop and the process (the web server uses fork())
    will be never terminated.

    Exploits:
    Directory Traversal:
    http://server/../etc/passwd
    http://server/../../../etc/passwd

    Resource Consumption:
    Connect to the server with telnet or netcat and then close the connection
    (without sending data).

    Fix:
    Luigi Auriemma has alerted the author a week ago, however patching the web
    server is very simple. The following patch can be applied to the 1.1.8
    version:

    --- surfboard.c 2001-04-11 19:23:36.000000000 +0000
    +++ 1.c 2003-11-27 18:38:28.000000000 +0000
    @@ -155,7 +155,7 @@
         */
         while(1)
         {
    - while(read(s, &c, 1)<1);
    + if(read(s, &c, 1)<1) break;
           if(c=='\r') { continue; }
           if(c=='\n' && oldc=='\n') { break; }
           oldc=c;
    @@ -167,7 +167,7 @@
       sprintf(buf, "Asked for %s", rawreq);
       log_msg(LOG_DEBUG, buf);
     
    - if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
    "`")<strstr(rawreq, "?"))
    + if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
    "..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
       {
         log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK
    ATTEMPT");
         add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");

    Fix details:
    1) The reading loop will be terminated if we find an error
    2) We check also the presence of the dot-dot pattern if there is no '?' in
    the URI

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@altervista.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Userland Can Access Linux Kernel Memory (do_brk() Argument Bound Checking)"

    Relevant Pages