Re: [AP] awhttpd v2.2 local DoS

["D." <dugely () yahoo com>]

ANTI-WEB HTTPD OFFICIAL SECURITY ADVISORY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is Doug Hoyte, head programmer of the Anti-Web
HTTPD project.

A recent advisory put out by methodic from AngryPacket
<methodic () slartibartfast angrypacket com> has
officially confirmed to be
valid, however DO NOT INSTALL THE PATCH ACCOMPANYING
THAT ADVISORY!

It opens up a format string vulnerability in the code,
and there
may be some stability issues involved also.

In discussion about this vulnerability with 3APA3A
<3APA3A () SECURITY NNOV RU>
and methodic, a few other problems were unearthed.

DESCRIPTION OF PROBLEMS
~~~~~~~~~~~~~~~~~~~~~~~

-A local DoS attack that can be carried out if the
attacker has write access
 to an Anti-Web HTML tree. This is most common when
each user has personal
 webspace on a server. See methodic's advisory for
more details.

-Another local DoS attack I discovered while
investigating methodic's
 attack: Removing the F: from an AW script altogether
can cause AW to
 escalate CPU usage. Again, the attacker needs write
access in an AW HTML tree.

-A potential heap overflow in the loading of the
script code, which could
 result in a shell with UID/GID 32767 (by default).
Again, the attacker would
 have to have write access in an AW HTML tree.

-A syslog() format string vulnerability. Fortunatley,
this is not exploitable
 in any official versions of Anti-Web, but might've
posed problems in the
 event of future code additions.

FIXES
~~~~~

Download the new, patched version here:

http://hardcoresoftware.cjb.net/awhttpd/awhttpd-2.2.1.tgz

CHANGELOG is here:

http://hardcoresoftware.cjb.net/awhttpd/changes.txt

Alternatively, as mentioned by methodic, you could
simply uncomment
the "#define NOSCRIPT" line in config.h. Note: In the
new version, you
would want to comment out "#define SCRIPTING".

Scripting is disabled by default in newer versions
now.

I should also add that this new version HASN'T been
confirmed stable.
It's holding up alright for me, but there are dangling
functions, and
the new SunOS port is still in beta.

WHO SHOULD GET THE NEW VERSION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you're a sysadmin who is giving users personal
webspace in an Anti-Web
HTML tree, INSTALL THIS VERSION NOW!

If you're running a small, personal webserver with you
as the only user,
this version won't add much in terms of security, so
you may as well wait
for 2.3 to come out, or uncomment NOSCRIPT.

If you've extended the code yourself, and taken
advantage of the logthis()
function, your new code may be vulnerable, UPDATE NOW!

COMMENT
~~~~~~~

Having recently experienced a "GOBBLES" advisory, I
was a bit skeptical
about this advisory at first, but methodic did an
excellent research job
here. He also acted very courteosly in notifying me,
the head programmer.

3APA3A was also very helpful, unearthing other
problems with the code.

I'd also like to point out how well this issue
illustrates the difficulty
in writing completely bug free code. Even a patch
designed to close up
a security hole can end up opening another one. The
job of a programmer
is certainly no cakewalk.

CREDITS
~~~~~~~

methodic and 3APA3A for uncovering these
vulnerabilities.




Doug Hoyte
HardCore SoftWare

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/