####################################################################### Luigi Auriemma Application: NULLhttpd http://nullhttpd.sourceforge.net/httpd/ Versions: <= 0.5.1 Platforms: All supported (Win & Unix) Bug: Remote resources consumption Date: 24 Sep 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "Null httpd is a very small, simple and multithreaded web server for Linux and Windows." However, as said by the author Dan Cahill, this server has not been developed for production servers or for quality and security. ####################################################################### ====== 2) Bug ====== This is a type of bug that I like a lot. Usually the causes are unchecked return values from recv() and select() functions that let the vulnerable server to enter in an infinite loop if it waits a specific amount of data and the client closes the connection before sending all the requested bytes. The effects are: - CPU at 100%: caused by the loop that calls recv() and/or select() infinitely - memory consumption: if the server receives data from the client, the memory used will not be unallocated because the request (seen by the server) is still active - other resources used: processes, other memory and moreover sockets As said before, the bug happens when the server waits data so the attacker must use the POST command with the Content-Length parameter. The following is a practical example: ------------------ POST / HTTP/1.0 Content-Length: 10 123456789 ------------------ So the client "says" that it will send (for example) 1 megabyte, but then it will send 1 megabyte less 1 byte (and this is the memory that will be occupied in the server). After some connections the server will finish all the available sockets and will be unreachable. ####################################################################### =========== 3) The Code =========== The code is for *nix and Win and lets you to choose how many kilobytes to eat for each connection and the number of connections to do: http://aluigi.org/poc/webpostmem.zip ####################################################################### ====== 4) Fix ====== No fix. The author was notified over 10 days ago but I have not yet received a response. #######################################################################