Bugtraq mailing list archives

Re: DoS attack: apache (& other) .htaccess Authentication

From: dustin () spy net (Dustin Sallings)
Date: Thu, 15 Jan 1998 22:47:26 -0800

If you're now trying to open this directory (or any file within)
and enter any user / password combination, you'll get a
hanging (death running) client. This is, because it's reading
/dev/zero and searches for a colon (':') to separate
the user name from the password field (mod_auth.c, get_pw(), line 127).

[...]

Because also other authentication methods may be exploitable
I would prefer to patch it in a way that it's no longer be
available to open /dev/zero (or any other device) for reading,
so I patched fpopen() in alloc.c:


perhaps you should stat the file and make sure its a normal file?
There may be other device files which cause problems by virtue
of having lots of data, or by blocking for long periods of time.
For example a blocking read on a dialup device that waits for
carrier sense on a modem.  Is there any reason to allow device
files to be read from the config?

This may not stop all possible attacks.  Normal files might be
used to indefinitely block the daemon.  For example some systems
allow regular users to make NFS mounts.  In this case an NFS
server can be brought up, mounted, then brought down.  The
httpd reading an nfs mounted file would then block for a long
period of time while NFS times out.  The same result can be
achieved by performing a denial of service attack against an already
existing NFS mount.

Are there other ways to cause long blocking times when reading
normal files?  Do any common unix systems have mandatory file locking?


        A size limit might not be a bad thing to do.  Even a normal file (as
someone here mentioned) can do nasty things to the webserver.  Consider:

bleu:~/public_html 159> ls -l .htpasswd
-rw-------    1 dustin   staff    1000000000000 Jan 15 22:44 .htpasswd

        That's a perfectly real file, but if my webserver tried to find a
password in there...

--
Taos Mountain TS         My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin () spy net>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE
L_______________________ I hope the answer won't upset her. ____________

Current thread:

Correction: CPSN 9:971208: Solaris /var Permission Problems MATTHEW POTTER (Jan 13)
- Xserver stack smashed Pavel Kankovsky (Jan 13)
  - Re: Xserver stack smashed M Shariful Anam (Jan 14)
  - DoS attack: apache (& other) .htaccess Authentication jan () WEDEKIND DE (Jan 14)
    - Re: DoS attack: apache (& other) .htaccess Authentication Marc Slemko (Jan 14)
    - Re: DoS attack: apache (& other) .htaccess Authentication Tim Newsham (Jan 15)
    - Re: DoS attack: apache (& other) .htaccess Authentication Dustin Sallings (Jan 15)
    - Re: DoS attack: apache (& other) .htaccess Authentication Casper Dik (Jan 16)
    - pbomb'ing SSH on a FreeBSD box. Jeff Johnson (Jan 15)
    - Re: pbomb'ing SSH on a FreeBSD box. FrontLine Assembly (Jan 17)
    - Re: DoS attack: apache (& other) .htaccess Authentication Dean Gaudet (Jan 16)
    - Re: GCC 2.7.? /tmp files dichro-bugtraq () RCPT TO (Jan 17)
    - Re: GCC 2.7.? /tmp files Zack Weinberg (Jan 18)
    - Re: GCC 2.7.? /tmp files John Gotts (Jan 19)
    - CERT Vendor-Initiated Bulletin VB-98.01 - excite Aleph One (Jan 19)
    - GCC 2.7.? /tmp files Micha? Zalewski (Jan 15)
    - Re: GCC 2.7.? /tmp files Niels Bakker (Jan 16)

(Thread continues...)