Httpd.dll Data Aborts due to embedded NULL in request header found during vulnerability scan

Httpd.dll Data Aborts due to embedded NULL in request header found during vulnerability scan

Post by Curious Ma » Wed, 13 Oct 2010 07:47:21


We're an OEM and design and build a headless device which uses Windows
CE 5.0. The device is controlled by a PXA270 host processor; and our
BSP is a port of the MAINSTONEII BSP. Our Windows CE 5.0 is updated
through the end of 2009, having applied the "Windows CE 5.0 Cumulative
Product Update Rollup 2009". The device uses the web server technology
(ISAPI and ASP/JScript) Microsoft provides with Windows CE to serve
status as well as provide a remote control interface.

During a validation cycle, several devices which were connected to our
company network were inadvertently hit by a random vulnerability scan
run by our network services department. The devices hit by the scan
would no longer respond over their web interface; it was later
determined that a thread in the web server (httpd.dll) had experienced
a Data Abort.

The root cause of this Data Abort was an embedded NULL in the request
headers. Httpd.dll would Data Abort on line 293 in isapi.cpp. The
CHttpRequest::GetServerVariable() method assumes properly terminated
headers and a properly terminated header block; calls to strstr()
assume CRLF would be found and a valid pointer returned. The CRLF
search string is not found; and the NULL pointer returned is adjusted
to point beyond the search string and is then dereferenced, thus
causing the Data Abort.

A quick search of the PRIVATE/SERVERS/HTTP common source tree found
five (5) suspect calls to strstr() that do not check for a NULL
pointer before dereferencing or adjusting and dereferencing the
returned pointer:

/PRIVATE/SERVERS/HTTP/FILTERS/callback.cpp(296)
/PRIVATE/SERVERS/HTTP/ISAPI/isapi.cpp(174)
/PRIVATE/SERVERS/HTTP/ISAPI/isapi.cpp(178)
/PRIVATE/SERVERS/HTTP/ISAPI/isapi.cpp(287)
/PRIVATE/SERVERS/HTTP/ISAPI/isapi.cpp(292)

Almost two years ago, we needed to customize interrupt handling within
the kernel and cloned the processor specific INTR project from within
PLATFORM/COMMON for our use. The common source under the PRIVATE/
SERVERS/HTTP tree is a bit more complex; it's not clear how to clone
the projects that build HTTPISAPI.lib and HTTPFILT.lib so we can
correct the bugs found in isapi.cpp and callback.cpp and integrate our
built libraries back into the final stage when httpd.dll is built.

Any suggestions on how to do clone these projects the "correct" way?
Or a way that works? Any thoughts on this matter is much
appreciated.

Thank you in advance for your response,

Marc
 
 
 

1. "Could not continue scan with NOLOCK due to data" error during Replication Synchronization

2. [Bug #12120] [Block layer or SCSI] requests aborted too early during check_partition()

This message has been generated automatically as a part of a report
of recent regressions.

The following bug entry is on the current list of known regressions
from 2.6.27. Please verify if it still should be listed and let me know
(either way).


Bug-Entry : http://www.yqcomputer.com/
Subject : [Block layer or SCSI] requests aborted too early during check_partition()
Submitter : Stefan Richter < XXXX@XXXXX.COM >
Date : 2008-11-29 05:19 (5 days old)


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to XXXX@XXXXX.COM
More majordomo info at http://www.yqcomputer.com/
Please read the FAQ at http://www.yqcomputer.com/

3. Patch for fetchmail 6.2.3 (incorrect header line found while scanning headers)

4. This post will self-destruct in 10secs (Was X windows vulnerability) vulnerability) vulnerability) vulnerability) vulnerability) vulnerability) vulnerability)

5. Microsoft Internet Information Server 5.1 DLL Request Denial of Service Vulnerability

6. This post will self-destruct in 10secs (Was X windows vulnerability) vulnerability) vulnerability) vulnerability) vulnerability) vulnerability) vulnerability)

7. Microsoft Internet Information Server 5.1 DLL Request Denial of Service Vulnerability

8. OSU HTTPD and TRACE vulnerability

9. Windows hangs during network logon due to wlnotify.dll problem

10. VB.NET2005, "The request was aborted: The request was canceled" when uploading

11. Dll xy.dll base 100000 relocated due to collision with yx.dll - how to solve this?

12. USBFN => data abort in Windows Embedded CE6.0

13. Request Timeout - Request has been aborted

14. occasional "The requested name is valid, but no data of the requested type was found"

15. How often will a full scan find malware that a quick scan didn't find?