####################################################################### Luigi Auriemma Application: NULLhttpd http://nullhttpd.sourceforge.net/httpd/ Versions: <= 0.5.1 Platforms: All supported (Win & Unix) Bug: Remote resources consumption Risk: Medium Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "Null httpd is a very small, simple and multithreaded web server for Linux and Windows." However, as said by the author Dan Cahill, this server has not been developed for production servers or for quality and security. ####################################################################### ====== 2) Bug ====== This is a type of bug that I like a lot. Usually the causes are unchecked return values from recv() and select() functions that let the vulnerable server to enter in an infinite loop if it waits a specific amount of data and the client closes the connection before sending all the requested bytes. The effects are: - CPU at 100%: caused by the loop that calls recv() and/or select() infinitely - memory consumption: if the server receives data from the client, the memory used will not be unallocated because the request (seen by the server) is still active - other resources used: processes, other memory and moreover sockets As said before, the bug happens when the server waits data so the attacker must use the POST command with the Content-Length parameter. The following is a practical example: ------------------ POST / HTTP/1.0 Content-Length: 10 123456789 ------------------ So the client "says" that it will send (for example) 1 megabyte, but then it will send 1 megabyte less 1 byte (and this is the memory that will be occupied in the server). After some connections the server will finish all the available sockets and will be unreacheable. ####################################################################### =========== 3) The Code =========== The code is for *nix and Win and lets you to choose how many kilobytes to eat for each connection and the number of connections to do: http://aluigi.altervista.org/poc/webpostmem.zip ####################################################################### ====== 4) Fix ====== No fix. The author has been contacted over 10 days before but I have not received an answer until now.