[OpenWrt-Tickets] [OpenWrt] #21325: DoS in uhttpd

Mon, 07 Dec 2015 07:34:50 -0800 

#21325: DoS in uhttpd
-----------------------------+------------------------
 Reporter:  rafael.scheel@…  |      Owner:  developers
     Type:  defect           |     Status:  new
 Priority:  normal           |  Milestone:
Component:  packages         |    Version:  Trunk
 Keywords:  DoS              |
-----------------------------+------------------------
 Hello,

 There is a small security relevant problem in uhttpd. If a HTTP-Request
 ist sent, without HTTP/x.x, the server crashs with a sigsegv in my test
 enviroment.
 Just send the following to the Server (no space after the /):

 {{{
 GET /
 Host: localhost
 }}}


 GDB-Output:

 {{{
 (gdb) run -f -h /var/www/html -r DoS -x /cgi-bin -p 80
 Starting program: /media/sf_00_arbeit/99_temp/compile/src/uhttpd -f -h
 /var/www/html -r DoS -x /cgi-bin -p 80

 Program received signal SIGSEGV, Segmentation fault.
 __strcmp_sse4_2 () at ../sysdeps/i386/i686/multiarch/strcmp-sse4.S:229
 229     ../sysdeps/i386/i686/multiarch/strcmp-sse4.S: No such file or
 directory.
 (gdb) info stack
 #0  __strcmp_sse4_2 () at ../sysdeps/i386/i686/multiarch/strcmp-sse4.S:229
 #1  0x08049efc in uh_http_header_parse (cl=0x805af80 <uh_clients>,
 buffer=0x8051700 <buffer> "GET",
     buflen=26) at uhttpd.c:252
 #2  0x0804a277 in uh_http_header_recv (cl=0x805af80 <uh_clients>) at
 uhttpd.c:352
 #3  0x0804ac54 in main (argc=10, argv=0xbffff4f4) at uhttpd.c:863
 (gdb)
 }}}

 The problem is preatty simple:
 In uhttpd.c -> uh_http_header_parse(...) line 209:

 {{{
                 /* find http version */
                 if( (path != NULL) && ((version = strchr(path, ' ')) !=
 NULL) )
                         *version++ = 0;
 }}}

 So version is set to NULL but *version++ = 0; not executed.

 After that version is passed to strcmp which therfore fails (Line 252):

 {{{
 /* check version */
                 if( strcmp(version, "HTTP/0.9") && strcmp(version,
 "HTTP/1.0") && strcmp(version, "HTTP/1.1") )
                 {
                         /* unsupported version */
                         uh_http_response(cl, 400, "Bad Request");
                         return NULL;
                 }
 }}}


 Cheers,
 Rafael

--
Ticket URL: <https://dev.openwrt.org/ticket/21325>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets

Reply via email to