Ticket #477 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

misformed auth exploit / DOS attack

Reported by: gcp@… Owned by: jan
Priority: high Milestone:
Component: mod_auth Version: 1.4.x
Severity: critical Keywords:
Cc: Blocked By:
Need User Feedback: Blocking:

Description

Misformed auth requests can cause lighttpd (1.4.9) to crash:

Program received signal SIGSEGV, Segmentation fault. 0x224f2a46 in http_auth_digest_check (srv=0x8068a48, con=0x0, p=0x807ffb0, req=0x8083758, url=0x0,

realm_str=0x80de76f "username=\"beta\", realm=\"Beta\", nonce=\"b1d12348b4620437c43dd61c50ae4639\", uri=\"/MJ-BONG.xm.mpc\", qop=auth, noncecount=00000001\", cnonce=\"036FCA5B86F7E7C4965C7F9B8FE714B7\", response=\"29B32C2953C763C6D03"...) at http_auth.c:931

931 MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));

Chat excerpt:

<DEATH> Digest realm="Beta", nonce="b1d12348b4620437c43dd61c50ae4639", qop="auth" <DEATH> Digest username="beta", realm="Beta", nonce="b1d12348b4620437c43dd61c50ae4639", uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001", cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7", response="29B32C2953C763C6D033C8A49983B87E" <DEATH> note bad " after noncecount

Attachments

Change History

Changed 3 years ago by jan

  • status changed from new to assigned

i can verify the bug and added a testcase to the testsuite.

Changed 3 years ago by jan

  • status changed from assigned to closed
  • resolution set to fixed

fixed in [971]

Add/Change #477 (misformed auth exploit / DOS attack)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.