Submitted by Matthew Murphy (mattmurphy)
Pointer Dereference Vulnerability in Savant Web Server
Savant Web Server offers support for HTTP/1.0 POST
requests for dynamic content. A vulnerability has been
discovered in the server that may cause it to crash
when handling POST requests.
Savant dynamically allocates POST buffers based on
the "Content-Length" header. Savant fails to check the
validity of the returned memory pointer after allocation.
If an attacker sends a POST request with a Content-
Length header indicating a very long POST entity, the
memory allocation will fail.
Savant then attempts to write to a NULL memory region
while storing the POST body. This results in an access
violation, crashing the web server process:
POST / HTTP/1.0
Content-Length: -1
AAAAAAAA
Savant parses the -1 into an integer value.
0xFFFFFFFF=-1. The memory allocation routines
invoked by Savant treat this as an unsigned integer, and
this is converted to a memory request 4,294,967,295
bytes (4 GB). As this is the entire address space of a
Win32 process, this allocation always fails, resulting in
the crash of the server.
Logged In: NO
I have put additional checking of content-length field to
check that it is non negative, however I still need to figure
out a way to prevent a massive content-length being
process. e.g. content-length=4294967295
Perhaps this can be defined by the user in config.
Logged In: YES
user_id=98485
I'll keep this bug open for the time being, as I can still see it
being a problem.
Logged In: YES
user_id=98485
I'll keep this bug open for the time being, as I can still see it
being a problem.
Logged In: YES
user_id=98485
I'll keep this bug open for the time being, as I can still see it
being a problem.