Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5157
HistorySep 25, 2003 - 12:00 a.m.

NULLhttpd <= 0.5.1 remote resources consumption

2003-09-2500:00:00
vulners.com
9
JSON

#######################################################################

                         Luigi Auriemma

Application: NULLhttpd
http://nullhttpd.sourceforge.net/httpd/
Versions: <= 0.5.1
Platforms: All supported (Win & Unix)
Bug: Remote resources consumption
Risk: Medium
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.

#######################################################################

======
2) Bug

This is a type of bug that I like a lot.
Usually the causes are unchecked return values from recv() and select()
functions that let the vulnerable server to enter in an infinite loop
if it waits a specific amount of data and the client closes the
connection before sending all the requested bytes.

The effects are:

  • CPU at 100%: caused by the loop that calls recv() and/or select()
    infinitely
  • memory consumption: if the server receives data from the client, the
    memory used will not be unallocated because the request (seen by the
    server) is still active
  • other resources used: processes, other memory and moreover sockets

As said before, the bug happens when the server waits data so the
attacker must use the POST command with the Content-Length parameter.
The following is a practical example:

POST / HTTP/1.0
Content-Length: 10

123456789

So the client "says" that it will send (for example) 1 megabyte, but
then it will send 1 megabyte less 1 byte (and this is the memory that
will be occupied in the server).
After some connections the server will finish all the available sockets
and will be unreacheable.

#######################################################################

===========
3) The Code

The code is for *nix and Win and lets you to choose how many kilobytes
to eat for each connection and the number of connections to do:

http://aluigi.altervista.org/poc/webpostmem.zip

#######################################################################

======
4) Fix

No fix.
The author has been contacted over 10 days before but I have not
received an answer until now.

#######################################################################

Luigi Auriemma
http://aluigi.altervista.org

JSON