- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
+--------------------- -- -
+ advisory information
+------------------ -- -
author: methodic <methodic@slartibartfast.angrypacket.com>
release date: 01/03/2002
homepage: http://sec.angrypacket.com
advisory id: 0x0000
+-------------------- -- -
+ product information
+----------------- -- -
software: Anti-Web httpd (awhttpd)
author: HardCore Software
homepage: http://hardcoresoftware.cjb.net/awhttpd/
description:
"Anti-Web httpd is a single-process Web server that relies on its
inherent simplicity to be robust, and secure."
+---------------------- -- -
+ vulnerability details
+------------------- -- -
problem: local denial-of-service
affected: awhttpd 2.2 and perhaps earlier versions
explaination: any local user with write access to awhttpd's html
directory can crash the daemon by crafting a special
script which is parsed by awhttpd's scripting engine
(which is enabled by default). the offending code
exists on line 29 of misc.c:
if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
a sample awhttpd script looks like this:
# test.cgi
--AWHTTPD SCRIPT--
echo "this is a test"
F:test.html
the problem is if test.html doesn't exist in the html
directory, then awhttpd will crash on the fclose();
status: vendor was notified
exploit: see above
fix: apply the patches below or disable the scripting engine by
editing config.h in the root source directory of awhttpd.
=====[ begin cut here ]=====
--- misc.c.orig Wed Jan 2 16:22:24 2002
+++ misc.c Wed Jan 2 16:26:37 2002
@@ -26,7 +26,7 @@
void discon(int i) {
close(infd[i]);
- if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
+ if (filefd[i]!= NULL) fclose(filefd[i]);
if (sending[i]>0) numofusers--;
sending[i]=0;
getreqs[i][0]=0;
=====[ end of misc.c patch ]=====
=====[ begin cut here ]=====
--- procscrpt.c.orig Wed Jan 2 16:27:33 2002
+++ procscrpt.c Wed Jan 2 16:51:47 2002
@@ -38,6 +38,12 @@
sending[i]=1;
strcpy(getreqs[i],tpbuf+2);
stripcrlf(getreqs[i]);
+ if(doesfileexist(getreqs[i]) == 0) {
+ strcpy(tpbuf, "Error: cannot locate ");
+ strncat(tpbuf, getreqs[i], 256);
+ strcat(tpbuf, " for reading!\n");
+ logthis(3, tpbuf);
+ }
fclose(filefd[i]);
} else if (tpbuf[0]==0) {
discon(i);
=====[ end of procscrpt.c patch ]=====
+-------- -- -
+ credits
+----- -- -
Bug was found by methodic of AngryPacket security group.
Patches by methodic.
+----------- -- -
+ disclaimer
+-------- -- -
The contents of this advisory are Copyright (c) 2002 AngryPacket
Security, and may be distributed freely provided that no fee is charged
for distribution and that proper credit is given. As such, AngryPacket
Security group, collectively or individually, shall not be held liable
or responsible for the misuse of any information contained herein.
- -- ------------------------- -- -
[>(] AngryPacket Security Advisory [>(]
- -- ------------------------- -- -
