Abyss Webserver Denial of Service Vulnerability

Information about exploits, how to use them, how to test for them, and new exploits.

Moderator: 127.0.0.1

Abyss Webserver Denial of Service Vulnerability

Postby kostyanj » Mon Apr 07, 2003 7:28 pm

http://www.net-security.org/vuln.php?id=2591



Abyss Webserver Denial of Service Vulnerability
Posted on 07 April 2003


From: Auriemma Luigi <aluigi@pivx.com>

###########################################################

Application: Abyss Webserver (http://www.aprelium.com)
Versions: X1 (v 1.1.2)
Platform: Windows and Linux
Bug: Crash caused by the reading of an unreacheable memory zone
Risk: Remote crash
Author: Auriemma Luigi
e-mail: aluigi@pivx.com
web: http://www.pivx.com/luigi/

###########################################################

1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

###########################################################

===============
1) Introduction
===============

Abyss is a very good free and tiny webserver that not only has a lot of functions but it also run on both Win and Linux systems.

###########################################################

======
2) Bug
======

As all the webservers in the world, Abyss read the HTTP fields ("Host:" and "Referer:" for example) sent by the remote clients in their HTTP requests.

Every HTTP field is followed by a value used for pass some parameters to the webserver, like what browser we use, if we want that the current connection remain alive for more seconds, if we wanna resume the download of a file and much more.

The problem in Abyss X1 webserver happen when 2 fields passed by the client are incomplete (without their values).

These fields are:
- "Connection:" used for specify if we want to break or continue the current connection with the server.
- "Range:" used for specify how many bytes and from what offset we want to start or continue the download of a file.

So instead of sending for example the field "Connection: close" the attacker will send only "Connection:" without any value after it, and now we will see what really happen in Abyss webserver when it receive this malformed field.

When Abyss receive a request, it will read each HTTP field and every value of eachone of these fields. In the case of "Connection:" and "Range:" fields, the server not only must read them but must also compare them with some default strings for see what type of operation the client has choose (for example in case of "Connection:", the server will compare its value with "close" or "Keep-Alive").

The comparison made by the server is case insensitive and for make it the server use the function strnicmp on Windows and strncasecmp on Linux.

Now Abyss will simply pass the following arguments to the comparison function:
1) address of the first string: this is the value that follow the HTTP field. This address will be 0x00000000 if the value doesn't exist.
2) address of the second string: this is the string we must compare for see if the first is equal or not ("Keep-Alive" for example).
3) number of chars to compare: this is equal to the size of the second string (the number of chars in "Keep-Alive" for example).

The following is a visual example of the usage of strnicmp function on a Windows systems (don't worry it is the same on Linux too). The example is just the vulnerable function on Abyss X1 (v1.1.2) that calls strnicmp for compare the value of the "Connection:" field without check if this value really exist and is stored in memory.

:0040E3EA 6A0A push 00A
:0040E3EC 68205E4100 push 00415E20
(StringData)"keep-alive"
:0040E3F1 FF7508 push dword[ebp+08]
:0040E3F4 FF151C114100 call dword[0041111C ->0001205A _strnicmp]

Explanation:

:0040E3EA it pass 00A (= 10), it is the size of "keep-alive" (3)
:0040E3EC it pass the address of the string "keep-alive" (2)
:0040E3F1 it pass the address of the HTTP field value (1)
:0040E3F4 the program calls the strnicmp function

(At offset 0040E473 you can see the same thing for the "Range:" field)

And now the debugger or just only the disassembler will give us the right explanation of the crash that we will see after sending one of the 2 malformed HTTP fields to Abyss webserver:

On Windows the crash will happen at EIP 0x78013590 of MSVCRT.DLL that is the function that reads the chars of the first string that is stored in memory.
The Assembly instruction at that offset is "mov ah, [esi]", but naturally ESI is NULL because DOESN'T exist the string in memory (the attacker has not sent it!) and the program cannot read a zone of memory located at 0x00000000.

Same thing happen on Linux that crash at EIP 0x42079db7, that is the function strncasecmp.

###########################################################

===========
3) The Code
===========

For test the bug try to send the following HTTP request:

--------------
GET / HTTP/1.0
Connection:

--------------

or

--------------
GET / HTTP/1.0
Range:

--------------

###########################################################

======
4) Fix
======

Version X1 v1.1.4 resolve the problem.

###########################################################
=============
5) Philosophy
=============

I'm really hopeful about the FULL-DISCLOSURE policy, because with it "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of creative programming (I have learned a bit of interesting C from the source code of some published exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets!

###########################################################

====================
About PivX Solutions
====================

PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary StrikeFirst Security Assessments (http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com

###########################################################

Any type of feedback is really welcome!

Byez

---
PivX Bug Researcher
http://www.pivx.com/luigi/


User avatar
kostyanj
Admin
Admin
 
Posts: 836
Joined: Thu Feb 27, 2003 4:08 am

Postby wacky-sung » Sat Apr 12, 2003 1:29 pm

I like Abyss web server cos it is very simple to use it but the problem is that i got hack also by using it in my window OS.What a disappointment to see more exploits being reveal.I have even talk to Abyss admin and complain about the software having exploits but he just keep telling me that there are none.Is he a Lier or just he do not know?
wacky-sung
End-Loser
End-Loser
 
Posts: 68
Joined: Mon Apr 07, 2003 4:30 am

Postby kostyanj » Sat Apr 12, 2003 1:31 pm

Usually software companies don't know about software exploits until hackers exploit them. Hackers are usually the first one to find exploits, at least before the software company does.
User avatar
kostyanj
Admin
Admin
 
Posts: 836
Joined: Thu Feb 27, 2003 4:08 am

Postby wacky-sung » Sat Apr 12, 2003 1:35 pm

I think Apache is still the safest and secure than the rest.May i shall start learning Apache Web server?If you know how to do it for Linux may be i can seek help from you if i have faces problems in it.
wacky-sung
End-Loser
End-Loser
 
Posts: 68
Joined: Mon Apr 07, 2003 4:30 am

Postby kostyanj » Sat Apr 12, 2003 1:37 pm

Apache really isn't that hard to install. It's the configuration that's a bitch. If you install something like webmin, it makes configuration a snap.
User avatar
kostyanj
Admin
Admin
 
Posts: 836
Joined: Thu Feb 27, 2003 4:08 am

Postby wacky-sung » Sat Apr 12, 2003 1:45 pm

That's the reason why i stuck with the configuration of Apache in Window getting nowhere inspite reading the instructions over and over again.Therfore i wanna learn now in Linux and do you know how?How about webmin as you mention it?Do you know both Apache and Webmin?
wacky-sung
End-Loser
End-Loser
 
Posts: 68
Joined: Mon Apr 07, 2003 4:30 am

Postby kostyanj » Sat Apr 12, 2003 1:47 pm

Webmin is a configuration utility for everything in linux.
User avatar
kostyanj
Admin
Admin
 
Posts: 836
Joined: Thu Feb 27, 2003 4:08 am


Return to Software Exploits

Who is online

Users browsing this forum: No registered users and 1 guest

cron