Re: DoS attack: apache (& other) .htaccess Authentication

From: Don Lewis (Don.Lewisat_private)
Date: Thu Jan 15 1998 - 05:46:27 PST

Next message: Sevo Stille: "Re: DoS attack: apache (& other) .htaccess Authentication"

Previous message: Jeff Johnson: "Memory allocation bug and SSH vunerability."
Maybe in reply to: janat_private: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Sevo Stille: "Re: DoS attack: apache (& other) .htaccess Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 14,  7:08pm, janat_private wrote:
} Subject: DoS attack: apache (& other) .htaccess Authentication

} If you're now trying to open this directory (or any file within)
} and enter any user / password combination, you'll get a
} hanging (death running) client. This is, because it's reading
} /dev/zero and searches for a colon (':') to separate
} the user name from the password field (mod_auth.c, get_pw(), line 127).

} b) patch to apache source
}
} Because also other authentication methods may be exploitable
} I would prefer to patch it in a way that it's no longer be
} available to open /dev/zero (or any other device) for reading,
} so I patched fpopen() in alloc.c:
}
} kirk: ~/src/apache_1.2.4/src> gdiff -uw alloc.c.orig alloc.c
} --- alloc.c.orig        Thu Jan  8 14:14:13 1998
} +++ alloc.c     Fri Jan  9 13:37:21 1998
} @@ -839,9 +839,14 @@
}  {
}    FILE *fd = NULL;
}    int baseFlag, desc;
} +  struct stat buf;
}
}    block_alarms();
}
} +  if (   *mode != 'r'
} +      || (strcmp(name,"/dev/null") == 0)
} +      || stat(name, &buf) == 0 && ((buf.st_mode & S_IFMT) == S_IFREG))
} +  {
}    if (*mode == 'a') {
}      /* Work around faulty implementations of fopen */
}      baseFlag = (*(mode+1) == '+') ? O_RDWR : O_WRONLY;
} @@ -854,6 +859,7 @@
}    } else {
}      fd = fopen(name, mode);
}    }
} +  }
}
}    if (fd != NULL) note_cleanups_for_file (a, fd);
}    unblock_alarms();
}

This may still be exploitable through a race condition.  If the
user has shell access, he could specify the name of a symlink
in the .htaccess file.  If the user can update the symlink to
change it so that it points to /dev/zero between the stat()
and the fopen(), he can still provoke the DoS.  This is definitely
harder to exploit, but if you change the code to do an open(),
fstat() the resulting file descriptor, and finally fdopen() the
descriptor if fstat() returns a satisfactory result, then the
race condition is avoided.

There is still a less severe DoS possibility if the user specifies
a large colon-less file.  It would probably be wise for get_pw()
give up if it's reading from a bogus looking file.

                        ---  Truck

Next message: Sevo Stille: "Re: DoS attack: apache (& other) .htaccess Authentication"
Previous message: Jeff Johnson: "Memory allocation bug and SSH vunerability."
Maybe in reply to: janat_private: "DoS attack: apache (& other) .htaccess Authentication"
Next in thread: Sevo Stille: "Re: DoS attack: apache (& other) .htaccess Authentication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:13 PDT