DOS vulnerability (Trac #181)

[edsiper]

Sending a request containing null bytes causes a thread to crash. If you crash all of the threads, the server becomes useless. Version 1.1.1 is vulnerable.

From GDB:

[2013/05/24 17:35:34] [ Info] HTTP Server started

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6de1b40 (LWP 30602)]
0xb7e7b8a1 in ?? () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt
http://bugs.monkey-project.com/ticket/0 0xb7e7b8a1 in ?? () from /lib/i386-linux-gnu/libc.so.6
#1 0x08050314 in mk_string_char_search_r ()
#2 0x0804b8c2 in mk_handler_write ()
#3 0x08050c00 in mk_conn_write ()
#4 0x0804f54a in mk_epoll_init ()
#5 0x0804ff07 in mk_sched_launch_worker_loop ()
#6 0xb7f9fd78 in start_thread ()

from /lib/i386-linux-gnu/libpthread.so.0
#7 0xb7ed63de in clone () from /lib/i386-linux-gnu/libc.so.6

From monkey's master.log:

[stack trace]

• ./bin/monkey() [0x80503bb]
• ./bin/monkey() [0x804efce]
• [0xb778e40c]
• /lib/i386-linux-gnu/libc.so.6(+0x968a1) [0xb762c8a1]
• ./bin/monkey() [0x8051906]
• ./bin/monkey() [0x804ae1c]
• ./bin/monkey() [0x804b819]
• ./bin/monkey() [0x804bd6f]
• ./bin/monkey() [0x805243b]
• ./bin/monkey() [0x80509a0]
  [2013/05/25 10:58:48] [ Error] Segmentation fault (11), code=1, addr=0xfffffff0

POC:

http://pastebin.com/vcQ2Ktsr

Migrated from http://bugs.monkey-project.com/ticket/181

{
    "status": "closed", 
    "changetime": "2013-05-27T02:05:01", 
    "description": "Sending a request containing null bytes causes a thread to crash. If you crash all of the threads, the server becomes useless. Version 1.1.1 is vulnerable.\n\nFrom GDB:\n===========\n\n[2013/05/24 17:35:34] [   Info] HTTP Server started\n\nProgram received signal SIGSEGV, Segmentation fault.\n[Switching to Thread 0xb6de1b40 (LWP 30602)]\n0xb7e7b8a1 in ?? () from /lib/i386-linux-gnu/libc.so.6\n(gdb) bt\n#0  0xb7e7b8a1 in ?? () from /lib/i386-linux-gnu/libc.so.6\n#1  0x08050314 in mk_string_char_search_r ()\n#2  0x0804b8c2 in mk_handler_write ()\n#3  0x08050c00 in mk_conn_write ()\n#4  0x0804f54a in mk_epoll_init ()\n#5  0x0804ff07 in mk_sched_launch_worker_loop ()\n#6  0xb7f9fd78 in start_thread ()\nfrom /lib/i386-linux-gnu/libpthread.so.0\n#7  0xb7ed63de in clone () from /lib/i386-linux-gnu/libc.so.6\n\nFrom monkey's master.log:\n============================\n\n[stack trace]\n + ./bin/monkey() [0x80503bb]\n + ./bin/monkey() [0x804efce]\n + [0xb778e40c]\n + /lib/i386-linux-gnu/libc.so.6(+0x968a1) [0xb762c8a1]\n + ./bin/monkey() [0x8051906]\n + ./bin/monkey() [0x804ae1c]\n + ./bin/monkey() [0x804b819]\n + ./bin/monkey() [0x804bd6f]\n + ./bin/monkey() [0x805243b]\n + ./bin/monkey() [0x80509a0]\n[2013/05/25 10:58:48] [  Error] Segmentation fault (11), code=1, addr=0xfffffff0\n\nPOC:\n=======\n\nhttp://pastebin.com/vcQ2Ktsr\n\n\n\n\n", 
    "reporter": "dougsko", 
    "cc": "", 
    "resolution": "fixed", 
    "_ts": "1369620301851044", 
    "component": "Unspecified", 
    "summary": "DOS vulnerability", 
    "priority": "blocker", 
    "keywords": "", 
    "version": "", 
    "time": "2013-05-25T15:19:42", 
    "milestone": "", 
    "owner": "edsiper", 
    "type": "defect"
}

[edsiper]

Trac update at 20130526T23:49:35:

• edsiper changed owner from "" to "edsiper"
• edsiper changed priority from "major" to "blocker"
• edsiper changed status from "new" to "accepted"

[edsiper]

Trac update at 20130527T02:05:01:

• edsiper commented:

Bug solved in GIT repository for 1.2 release:

http://goo.gl/vJgqH

• edsiper changed resolution from "" to "fixed"
• edsiper changed status from "accepted" to "closed"