Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2327
HistoryJan 04, 2002 - 12:00 a.m.

[AP] awhttpd v2.2 local DoS

2002-01-0400:00:00
vulners.com
37
              - -- ------------------------- -- -

[>(] AngryPacket Security Advisory [>(]
- – ------------------------- – -

±-------------------- – -

±------------------- – -

  • product information
    ±---------------- – -
    software: Anti-Web httpd (awhttpd)
    author: HardCore Software
    homepage: http://hardcoresoftware.cjb.net/awhttpd/
    description:
    "Anti-Web httpd is a single-process Web server that relies on its
    inherent simplicity to be robust, and secure."

±--------------------- – -

  • vulnerability details
    ±------------------ – -
    problem: local denial-of-service
    affected: awhttpd 2.2 and perhaps earlier versions
    explaination: any local user with write access to awhttpd's html
    directory can crash the daemon by crafting a special
    script which is parsed by awhttpd's scripting engine
    (which is enabled by default). the offending code
    exists on line 29 of misc.c:

            if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
    
            a sample awhttpd script looks like this:
            # test.cgi
            --AWHTTPD SCRIPT--
            echo "this is a test"
            F:test.html
    
            the problem is if test.html doesn't exist in the html
            directory, then awhttpd will crash on the fclose();
    

status: vendor was notified
exploit: see above
fix: apply the patches below or disable the scripting engine by
editing config.h in the root source directory of awhttpd.

=====[ begin cut here ]=====
— misc.c.orig Wed Jan 2 16:22:24 2002
+++ misc.c Wed Jan 2 16:26:37 2002
@@ -26,7 +26,7 @@

void discon(int i) {
close(infd[i]);

  • if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
  • if (filefd[i]!= NULL) fclose(filefd[i]);
    if (sending[i]>0) numofusers–;
    sending[i]=0;
    getreqs[i][0]=0;
    =====[ end of misc.c patch ]=====

=====[ begin cut here ]=====
— procscrpt.c.orig Wed Jan 2 16:27:33 2002
+++ procscrpt.c Wed Jan 2 16:51:47 2002
@@ -38,6 +38,12 @@
sending[i]=1;
strcpy(getreqs[i],tpbuf+2);
stripcrlf(getreqs[i]);

  • if(doesfileexist(getreqs[i]) == 0) {
  •   strcpy(tpbuf, "Error: cannot locate ");
    
  •   strncat(tpbuf, getreqs[i], 256);
    
  •   strcat(tpbuf, " for reading!\n");
    
  •   logthis(3, tpbuf);
    
  • }
    fclose(filefd[i]);
    } else if (tpbuf[0]==0) {
    discon(i);
    =====[ end of procscrpt.c patch ]=====

±------- – -

  • credits
    ±---- – -
    Bug was found by methodic of AngryPacket security group.
    Patches by methodic.

±---------- – -

  • disclaimer
    ±------- – -
    The contents of this advisory are Copyright (c) 2002 AngryPacket
    Security, and may be distributed freely provided that no fee is charged
    for distribution and that proper credit is given. As such, AngryPacket
    Security group, collectively or individually, shall not be held liable
    or responsible for the misuse of any information contained herein.

                - -- ------------------------- -- -
    

[>(] AngryPacket Security Advisory [>(]
- – ------------------------- – -