SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Surfboard httpd Vendors:   surfd.sourceforge.net
Surfboard httpd Input Validation Flaw Lets Remote Users View Arbitrary Files on the System
SecurityTracker Alert ID:  1008342
SecurityTracker URL:  http://securitytracker.com/id/1008342
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 1 2003
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.1.8 and prior versions
Description:   A vulnerability was reported in the Surfboard httpd. A remote user can view files on the system. A remote user can also cause excessive CPU resources to be consumed.

Luigi Auriemma reported that a remote user can supply a URL containing the '../' directory traversal characters to view arbitrary files on the target system with the privileges of the Surfboard httpd process.

Some demonstration exploit URLs are provided:

http://server/../etc/passwd
http://server/../../../etc/passwd

Version 1.0 is reportedly not affected by this directory traversal flaw.

It is also reported that the web server will continually loop when receiving user-supplied input until a second line feed character is received. A remote user can connect to the web server and then disconnect before sending data to cause the forked process to enter a continual loop.

The vendor has reportedly been notified.

Impact:   A remote user can view arbitrary files on the target system with the privileges of the web server daemon.

A remote user can cause the web server to fork a process that enters a continual loop.

Solution:   No solution was available at the time of this entry.

An unofficial patch is provided in the Source Message.

Vendor URL:  surfd.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Surfboard <= 1.1.8 vulns



#######################################################################

                             Luigi Auriemma

Application:  Surfboard webserver
              http://surfd.sourceforge.net
Versions:     <= 1.1.8
Platforms:    *nix
Bugs:         possibility to view all the files in the system and
              resources consumption
Risk:         medium/high
Exploitation: remote/easy
Date:         01 Dec 2003
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From the website:
"Surfboard is a trivial web server, written by Meredydd Luff."



#######################################################################

=======
2) Bugs
=======


Directory traversal
-------------------

The webserver checks the dot-dot pattern only if there is a '?' in the
URI (used for server side scripts), so there is no protection for the
classical directory traversal exploitation.
Note: fortunally the webserver doesn't support indexing of directories
and the version 1.0 is not affected by this bug.



Resource consumption
--------------------

The webserver uses a strange method to read the browser's input: it
does a loop until it receives a second line-feed.
Unfortunally the webserver doesn't check for errors so if the client
breaks the connection it will enter in an infinite loop and the process
(the webserver uses fork()) will be never terminated.




#######################################################################

===========
3) The Code
===========


Directory traversal
-------------------

http://server/../etc/passwd
http://server/../../../etc/passwd



Resource consumption
--------------------

Connect to the server with telnet or netcat and then close the
connection (without sending data).




#######################################################################

======
4) Fix
======


I have alerted the author a week ago, however patching the webserver is
very simple. The following patch can be applied to the 1.1.8 version:


--- surfboard.c 2001-04-11 19:23:36.000000000 +0000
+++ 1.c 2003-11-27 18:38:28.000000000 +0000
@@ -155,7 +155,7 @@
     */
     while(1)
     {
-      while(read(s, &c, 1)<1);
+      if(read(s, &c, 1)<1) break;
       if(c=='\r') { continue; }
       if(c=='\n' && oldc=='\n') { break; }
       oldc=c;
@@ -167,7 +167,7 @@
   sprintf(buf, "Asked for %s", rawreq);
   log_msg(LOG_DEBUG, buf);
 
-  if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
"`")<strstr(rawreq, "?"))
+  if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
"..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
   {
     log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK ATTEMPT");
     add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");


Details:
1) the reading loop will be terminated if we find an error
2) we check also the presence of the dot-dot pattern if there is no
   '?' in the URI



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC