Date: Mon, 5 Nov 2001 12:57:15 -0000
From: Aiden ORawe <a.orawe@ntlworld.com>
To: bugtraq@securityfocus.com
Subject: RH Linux Tux HTTPD DoS
TUX HTTPD Denial of Service Condition
Background:
-------------
Tux is a Kernel-Space HTTP server coded for optimal performance (IRQ
Affinity,HTTP compression, direct scatter-gather DMA etc.) It is meant to
be used as the main HTTP server for static objects with requests for dynamic
content being passed to a user-space HTTPD server such as Apache on same box
when necessary. Tux is disabled by default.
Vulnerability:
--------------
It is possible to cause a denial of service condition by submitting an
oversized "Host:" header request to the Tux daemon causing an assertion
failure and eventual Kernel Panic. A total system reboot is required to
return full functionality. For example the following script will cause the
target box to crash:
perl -e "print qq(GET / HTTP/1.0\nAccept: */*\nHost: ) . qq(A) x 6000 .
qq(\n)" |nc <ip address> <dest_port>
The following output will then generated (edited for brevity):
Code: Bad EIP Value.
(0)Kernel Panic: Aiee, killing interrupt handler!
In interrupt handler - not syncing!
To the best of my knowledge this is *not* a buffer overflow (despite
apparently being able to overwrite the contents of the EIP register) and as
such cannot be utilised to run arbitrary code. FYI The Tux source code
contains numerous assertions that are used to safegaurd data integrity and
if any of these assertions fail (as it does in this case) code execution is
halted by making a call to the BUG() function.
System(s) tested:
-----------------
RedHat Linux 7.2 , Kernel 2.4.7-10 and 2.4.9-7 running TUX-2.1.0-2.
Additional Notes:
-----------------
security@redhat.com where advised of this issue 25 October 2001.
Solution:
---------
See Security Advisory - RHSA-2001:142-15
http://www.redhat.com/support/errata/RHSA-2001-142.html
Thanks:
-------
Michael K. Johnston
