surfboard-1.1.8.txt

2003-12-03T00:00:00
ID PACKETSTORM:32312
Type packetstorm
Reporter Luigi Auriemma
Modified 2003-12-03T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: Surfboard webserver  
http://surfd.sourceforge.net  
Versions: <= 1.1.8  
Platforms: *nix  
Bugs: possibility to view all the files in the system and  
resources consumption  
Risk: medium/high  
Exploitation: remote/easy  
Date: 01 Dec 2003  
Author: Luigi Auriemma  
e-mail: aluigi@altervista.org  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
>From the website:  
"Surfboard is a trivial web server, written by Meredydd Luff."  
  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
  
Directory traversal  
-------------------  
  
The webserver checks the dot-dot pattern only if there is a '?' in the  
URI (used for server side scripts), so there is no protection for the  
classical directory traversal exploitation.  
Note: fortunally the webserver doesn't support indexing of directories  
and the version 1.0 is not affected by this bug.  
  
  
  
Resource consumption  
--------------------  
  
The webserver uses a strange method to read the browser's input: it  
does a loop until it receives a second line-feed.  
Unfortunally the webserver doesn't check for errors so if the client  
breaks the connection it will enter in an infinite loop and the process  
(the webserver uses fork()) will be never terminated.  
  
  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
Directory traversal  
-------------------  
  
http://server/../etc/passwd  
http://server/../../../etc/passwd  
  
  
  
Resource consumption  
--------------------  
  
Connect to the server with telnet or netcat and then close the  
connection (without sending data).  
  
  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
I have alerted the author a week ago, however patching the webserver is  
very simple. The following patch can be applied to the 1.1.8 version:  
  
  
--- surfboard.c 2001-04-11 19:23:36.000000000 +0000  
+++ 1.c 2003-11-27 18:38:28.000000000 +0000  
@@ -155,7 +155,7 @@  
*/  
while(1)  
{  
- while(read(s, &c, 1)<1);  
+ if(read(s, &c, 1)<1) break;  
if(c=='\r') { continue; }  
if(c=='\n' && oldc=='\n') { break; }  
oldc=c;  
@@ -167,7 +167,7 @@  
sprintf(buf, "Asked for %s", rawreq);  
log_msg(LOG_DEBUG, buf);  
  
- if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,  
"`")<strstr(rawreq, "?"))  
+ if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,  
"..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))  
{  
log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK ATTEMPT");  
add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");  
  
  
Details:  
1) the reading loop will be terminated if we find an error  
2) we check also the presence of the dot-dot pattern if there is no  
'?' in the URI  
  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
`