Bugtraq mailing list archives
[AP] awhttpd v2.2 local DoS
From: methodic <methodic () slartibartfast angrypacket com>
Date: Thu, 3 Jan 2002 15:13:48 -0800
- -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- - +--------------------- -- - + advisory information +------------------ -- - author: methodic <methodic () slartibartfast angrypacket com> release date: 01/03/2002 homepage: http://sec.angrypacket.com advisory id: 0x0000 +-------------------- -- - + product information +----------------- -- - software: Anti-Web httpd (awhttpd) author: HardCore Software homepage: http://hardcoresoftware.cjb.net/awhttpd/ description: "Anti-Web httpd is a single-process Web server that relies on its inherent simplicity to be robust, and secure." +---------------------- -- - + vulnerability details +------------------- -- - problem: local denial-of-service affected: awhttpd 2.2 and perhaps earlier versions explaination: any local user with write access to awhttpd's html directory can crash the daemon by crafting a special script which is parsed by awhttpd's scripting engine (which is enabled by default). the offending code exists on line 29 of misc.c: if (filefd[i]!= (FILE *) -1) fclose(filefd[i]); a sample awhttpd script looks like this: # test.cgi --AWHTTPD SCRIPT-- echo "this is a test" F:test.html the problem is if test.html doesn't exist in the html directory, then awhttpd will crash on the fclose(); status: vendor was notified exploit: see above fix: apply the patches below or disable the scripting engine by editing config.h in the root source directory of awhttpd. =====[ begin cut here ]===== --- misc.c.orig Wed Jan 2 16:22:24 2002 +++ misc.c Wed Jan 2 16:26:37 2002 @@ -26,7 +26,7 @@ void discon(int i) { close(infd[i]); - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]); + if (filefd[i]!= NULL) fclose(filefd[i]); if (sending[i]>0) numofusers--; sending[i]=0; getreqs[i][0]=0; =====[ end of misc.c patch ]===== =====[ begin cut here ]===== --- procscrpt.c.orig Wed Jan 2 16:27:33 2002 +++ procscrpt.c Wed Jan 2 16:51:47 2002 @@ -38,6 +38,12 @@ sending[i]=1; strcpy(getreqs[i],tpbuf+2); stripcrlf(getreqs[i]); + if(doesfileexist(getreqs[i]) == 0) { + strcpy(tpbuf, "Error: cannot locate "); + strncat(tpbuf, getreqs[i], 256); + strcat(tpbuf, " for reading!\n"); + logthis(3, tpbuf); + } fclose(filefd[i]); } else if (tpbuf[0]==0) { discon(i); =====[ end of procscrpt.c patch ]===== +-------- -- - + credits +----- -- - Bug was found by methodic of AngryPacket security group. Patches by methodic. +----------- -- - + disclaimer +-------- -- - The contents of this advisory are Copyright (c) 2002 AngryPacket Security, and may be distributed freely provided that no fee is charged for distribution and that proper credit is given. As such, AngryPacket Security group, collectively or individually, shall not be held liable or responsible for the misuse of any information contained herein. - -- ------------------------- -- - [>(] AngryPacket Security Advisory [>(] - -- ------------------------- -- -
Current thread:
- [AP] awhttpd v2.2 local DoS methodic (Jan 03)
- Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS) 3APA3A (Jan 05)
- <Possible follow-ups>
- Re: [AP] awhttpd v2.2 local DoS D. (Jan 07)