Surfboard <= 1.1.8 vulns

From: Luigi Auriemma (aluigi_at_altervista.org)
Date: 12/01/03

  • Next message: Kenneth R. van Wyk: "ANNOUNCE: New mailing list for secure application development, SC-L"
    Date: Mon, 1 Dec 2003 12:57:26 +0000
    To: bugtraq@securityfocus.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Surfboard webserver
                  http://surfd.sourceforge.net
    Versions: <= 1.1.8
    Platforms: *nix
    Bugs: possibility to view all the files in the system and
                  resources consumption
    Risk: medium/high
    Exploitation: remote/easy
    Date: 01 Dec 2003
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    From the website:
    "Surfboard is a trivial web server, written by Meredydd Luff."

    #######################################################################

    =======
    2) Bugs
    =======

    Directory traversal
    -------------------

    The webserver checks the dot-dot pattern only if there is a '?' in the
    URI (used for server side scripts), so there is no protection for the
    classical directory traversal exploitation.
    Note: fortunally the webserver doesn't support indexing of directories
    and the version 1.0 is not affected by this bug.

    Resource consumption
    --------------------

    The webserver uses a strange method to read the browser's input: it
    does a loop until it receives a second line-feed.
    Unfortunally the webserver doesn't check for errors so if the client
    breaks the connection it will enter in an infinite loop and the process
    (the webserver uses fork()) will be never terminated.

    #######################################################################

    ===========
    3) The Code
    ===========

    Directory traversal
    -------------------

    http://server/../etc/passwd
    http://server/../../../etc/passwd

    Resource consumption
    --------------------

    Connect to the server with telnet or netcat and then close the
    connection (without sending data).

    #######################################################################

    ======
    4) Fix
    ======

    I have alerted the author a week ago, however patching the webserver is
    very simple. The following patch can be applied to the 1.1.8 version:

    --- surfboard.c 2001-04-11 19:23:36.000000000 +0000
    +++ 1.c 2003-11-27 18:38:28.000000000 +0000
    @@ -155,7 +155,7 @@
         */
         while(1)
         {
    - while(read(s, &c, 1)<1);
    + if(read(s, &c, 1)<1) break;
           if(c=='\r') { continue; }
           if(c=='\n' && oldc=='\n') { break; }
           oldc=c;
    @@ -167,7 +167,7 @@
       sprintf(buf, "Asked for %s", rawreq);
       log_msg(LOG_DEBUG, buf);
     
    - if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
    "`")<strstr(rawreq, "?"))
    + if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
    "..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
       {
         log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK ATTEMPT");
         add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");

    Details:
    1) the reading loop will be terminated if we find an error
    2) we check also the presence of the dot-dot pattern if there is no
       '?' in the URI

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: Kenneth R. van Wyk: "ANNOUNCE: New mailing list for secure application development, SC-L"

    Relevant Pages

    • [Full-disclosure] directory traversal in Yawcam 0.2.5
      ... The bug ... The fix ... "Yawcam is a webcam software for windows". ... The program has a built-in webserver that by default is able to avoid ...
      (Full-Disclosure)
    • directory traversal in Yawcam 0.2.5
      ... The bug ... The fix ... "Yawcam is a webcam software for windows". ... The program has a built-in webserver that by default is able to avoid ...
      (Bugtraq)
    • Re: popen - command line vs. web server performance
      ... >> when i run ptest.php via a webserver, ... The DLL search path in Windows, ... the current folder, the folder ... I'm actually thinking that this is a bug in PHP. ...
      (comp.lang.php)
    • [Full-Disclosure] DoS in MiniShare 1.3.2
      ... The bug ... In fact it waits at the end of each request at least two newlines. ... So if you send to the webserver a GET or an HEAD request with no or ... at most one newline, the webserver will crash. ...
      (Full-Disclosure)
    • DoS in MiniShare 1.3.2
      ... The bug ... In fact it waits at the end of each request at least two newlines. ... So if you send to the webserver a GET or an HEAD request with no or ... at most one newline, the webserver will crash. ...
      (Bugtraq)