|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: zillion (zillion
safemode.org)Date: Mon Dec 17 2001 - 00:33:20 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tamer Sahin reported a DoS vulnerability in Atphttpd last week. This is
an exploitable buffer overflow which has been known for several months.
the authour was informed about it 3 months ago and responded with the
words: "well there probably a lot more wrong with atphttpd" and has not
done a thing about it.
Here is an exploit which demonstrates the buffer overflow vulnerability
(has been available on safemode.org for about 3 weeks, proof
http://www.google.com/search?q=atphttpd ;-)
http://www.safemode.org/files/zillion/atphttpd-expl
BTW you could have seen that this is exploitable from your core file:
bash-2.05$ gdb -core=atphttpd.core
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-unknown-openbsd2.9".
Core was generated by `atphttpd'.
Program terminated with signal 11, Segmentation fault.
#0 0x41414141 in ?? ()
(gdb) info all
eax 0x0 0
ecx 0xce 206
edx 0xdfbfc7e8 -541079576
ebx 0x0 0
esp 0xdfbfcb10 0xdfbfcb10
ebp 0x41414141 0x41414141
esi 0x0 0
edi 0x0 0
eip 0x41414141 0x41414141 <-- bingo!
eflags 0x246 582
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x1f 31
gs 0x1f 31
(gdb)
The thing that probably sucks the most about Atphttpd is that there are
many sites that link to it by using the same cut-and-paste marketing
crap about this HTTP server.
Anyway I would strongly encourage anyone who is using atphttpd to find
another server as atphttpd has had it's glory days and it currently
nothing more then a security threat on your network.
Cheers,
zillion
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ATPhttpd 0.4 DoS Vulnerability
>
> Type:
> DoS, crashes Daemon
>
> Release Date:
> December 13, 2001
>
> Product / Vendor:
> ATPhttpd, the tiny, caching, high performance webserver. ATPhttpd is
> ideal for serving lots of static content, especially where disk I/O
> is expensive, such as NFS mounted web shares, or graphics servers.
>
> http://www.redshift.com/~yramin/atp/atphttpd/
>
> Summary:
> Server crashes after sending very long URL a few times.
>
> http://host/AAAAAAAAA...(Ax3000)...AAA
>
> Log:
> You may reach the core file through
> http://www.securityoffice.net/downloads/atphttpd.core
>
> Exploit:
> atphttpd.pl by Tamer Sahin
> http://www.securityoffice.net/downloads/atphttpd.txt
>
> Tested:
> OpenBSD 2.9 / ATPhttpd 0.4 Alpha release
>
> Vulnerable:
> ATPhttpd 0.4 Alpha release (And may be other)
>
> Disclaimer:
> http://www.securityoffice.net is not responsible for the misuse or
> illegal use of any of the information and/or the software listed on
> this security advisory.
>
> Author:
> Tamer Sahin
> tssecurityoffice.net
> http://www.securityoffice.net
>
> Tamer Sahin
> http://www.securityoffice.net
> PGP Key ID: 0x2B5EDCB0 Fingerprint:
> B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPBj9fbuLpFMrXtywEQIuKACcDh+NkQCVj+iTV048l9ybQiWN90cAn1zw
> 1chZ5YPNBB46zdB7c1cSHUp3
> =K1EP
> -----END PGP SIGNATURE-----
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBPB2Rsz+c21hBIw7XEQLL1gCgyRudAgpUl7zFK3RiOyuxte4RklAAnifZ
P/6rCTQFMOBB8FETU4lpEPCi
=8q83
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]