Re: Advisory for Xitami 2.4d7, 2.5d4

From: Ewen McNeill (ewenat_private)
Date: Wed Apr 18 2001 - 03:51:02 PDT

Next message: Bill Sommerfeld: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"

Previous message: elliptic: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
In reply to: neme-dhcat_private: "Advisory for Xitami 2.4d7, 2.5d4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <200104171346.GAA25118at_private>, neme-dhcat_private writes:
> [ Advisory for Xitami 2.4d7, 2.5d4                  ]
>[.....]
>Xitami is a webserver. It has a denial of service.
>[....]
>To test this vulnerability, try the following.
>send a request like this one:
>www.server.com/aux
>some computers crash after this request. [Others work a little while longer]
>[....]
>Not known at the moment, vendor was contacted and said
>they would look into it. Over a week has gone by and nothing.

Xitami tries to do the Right Thing (tm) in handling the "magical"
device filenames; under Win32 (95/98/ME/NT/2000), the function
system_devicename() in sflfile.c (Xitami is open source; source
available at http://www.xitami.com/) checks each path component with
QueryDosDevice(), and rejects paths containing a component that is
reported as a device.  On other MS-DOS like platforms Xitami compares
(case insensitively) against a list of "known problem" filenames (aux,
con, nul, prn, com[0-9], lpt[0-9]); this code is used for plain DOS,
and OS/2, but not for Win32.

For some reason this test seems to be not detecting AUX as a device
file under Win32; we are still investigating why, and if the issue is
confined to AUX or affects some other device names.  However most of the
problem device names appear to be caught by this QueryDosDevice() test.
Possibly AUX not being detected like this is affecting some of the other
programs that were also reported as having the same issue today.

Once we've finished determining the extent of the device files that
aren't being caught by the existing tests, we plan to release a minor
update to both Xitami 2.4 (release code), and Xitami 2.5 (beta test code)
with a work around for this issue, possibly including a hard coded check
for AUX that is always done, in addition to the Win32 QueryDosDevice()
where available.  This update will be announced on the Xitami user
mailing list, and announcement list when it is available.

Meanwhile some Xitami users have reported that defining an Xitami alias
for "AUX" that points at some non-existant file avoids the issue
reported (as the alias expansion is done before any files are opened);
we would suggest those looking for an immediate work around consider this.

We apologise for not getting back to you earlier; the developer who
received your message did start investigating the problem.

Ewen

--
Ewen McNeill, Technical Consultant, iMatix Corporation  www.imatix.com

Next message: Bill Sommerfeld: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Previous message: elliptic: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
In reply to: neme-dhcat_private: "Advisory for Xitami 2.4d7, 2.5d4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 11:53:19 PDT