 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Wed, 10 Jan 2001 14:13:37 -0800
From: banned-it <banned-it@FATELABS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Attackers can easily crash thttpd and possible find an exploitable buffer overflow
Advisory Name: Brickserver thttpd DoS and possible risk of buffer overflow
Release Date: 01/09/2001
Application: thttpd with modifications added by the vendor
Platform: Brickserver Small Business Model
Severity: Attackers can easily crash thttpd and possible find an
exploitable buffer overflow
Author(s): lockdown
banned-it <bannedit@fatelabs.com>
Vendor Status: Sage inc. has been notified but we received no
response. The site we used to test against seems like it might have been
patched.
Overview:
Brickhouse (www.thirdpig.com) runs thttpd/2.16 with brickhouse
modifications for its webserver and it is closed source. We have gone
through the normal thttpd/2.16 source and speculated as to what the
problem is. It appears thttpd is resorting to vsprintf() numerous times
because it is lacking snprintf() and vsnprintf(). The thttpd source
clearly states that the code may not be secure when running in an
environment that does not contain the proper header files. We do not have
physical access to a brickhouse server so we can only speculate about the
problem. We found the DoS when we were participating in a wargames server
that was using a brickhouse server. This has also only been tested
against this single server. Does it affect all brickhouse servers, we do
not know because Sage Inc. never replied to our email notifying them of
the problem.
Attack:
http://www.victim.com/aaaaaaaaaaaaaaaaaaaaaaaaaaa
about 800 a's should do
You can also telnet and use the 'GET' command.
Summery:
Although the DoS is obviously there the source is closed making it
rather hard to tell what exactly causes it. It may be possible to gain
entry to the brickserver. However it is impossible to tell at this
point. The BrickServer runs on a Pentium III processor, intel x86
structure so shellcode should work if a buffer overflow is found. Although
while skimming the source code of thttpd without brickserver
modifications, we could not find any possible overflows as of yet.
| |||||||||||||||||||||