[UNIX] Surfboard HTTPd Directory Traversal and DoS Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 12/03/03
- Previous message: SecuriTeam: "[NEWS] GnuPG External HKP Interface Format String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 3 Dec 2003 17:54:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Surfboard HTTPd Directory Traversal and DoS Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/surfd/> Surfboard is "a small, simple
HTTPd designed to be set up in a minimum of time and with a minimum of
fuss. CGI is supported, and so are custom CGI handlers for various file
extensions (e.g. .PHP - yes, it works!) POST support is not there, but in
the works". Two vulnerabilities in the product have been found, allowing
attackers to view files that reside outside the bounding HTML root
directory, and to cause the server to consume large amount of CPU time.
DETAILS
Vulnerable systems:
* Surfboard HTTPd version 1.1.8 and prior
Directory Traversal
The web server checks the dot-dot pattern only if there is a '?' in the
URI (used for server side scripts), so there is no protection for the
classical directory traversal exploitation. Note: fortunately the web
server doesn't support indexing of directories and the version 1.0 is not
affected by this bug.
Resource Consumption
The web server uses a strange method to read the browser's input: it does
a loop until it receives a second line-feed. Unfortunately the web server
doesn't check for errors so if the client breaks the connection it will
enter in an infinite loop and the process (the web server uses fork())
will be never terminated.
Exploits:
Directory Traversal:
http://server/../etc/passwd
http://server/../../../etc/passwd
Resource Consumption:
Connect to the server with telnet or netcat and then close the connection
(without sending data).
Fix:
Luigi Auriemma has alerted the author a week ago, however patching the web
server is very simple. The following patch can be applied to the 1.1.8
version:
--- surfboard.c 2001-04-11 19:23:36.000000000 +0000
+++ 1.c 2003-11-27 18:38:28.000000000 +0000
@@ -155,7 +155,7 @@
*/
while(1)
{
- while(read(s, &c, 1)<1);
+ if(read(s, &c, 1)<1) break;
if(c=='\r') { continue; }
if(c=='\n' && oldc=='\n') { break; }
oldc=c;
@@ -167,7 +167,7 @@
sprintf(buf, "Asked for %s", rawreq);
log_msg(LOG_DEBUG, buf);
- if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
"`")<strstr(rawreq, "?"))
+ if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
"..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
{
log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK
ATTEMPT");
add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");
Fix details:
1) The reading loop will be terminated if we find an error
2) We check also the presence of the dot-dot pattern if there is no '?' in
the URI
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@altervista.org> Luigi
Auriemma.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] GnuPG External HKP Interface Format String"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
