Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seg fault if digest auth contains "charset" #200

Open
User65k opened this issue Oct 13, 2021 · 6 comments
Open

seg fault if digest auth contains "charset" #200

User65k opened this issue Oct 13, 2021 · 6 comments

Comments

@User65k
Copy link

User65k commented Oct 13, 2021

Hi,

I tried to run siege against an lighttpd with digest authentication.
That results in

HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="###", charset="UTF-8", nonce="###", qop="auth"
Content-Type: text/html
Content-Length: 347
Connection: close
Date: Wed, 13 Oct 2021 10:56:28 GMT
Server: lighttpd/1.4.53


unknown key [charset]
zsh: segmentation fault (core dumped)  siege -g http://###/

Sources:

@JoeDog
Copy link
Owner

JoeDog commented Oct 13, 2021 via email

@User65k
Copy link
Author

User65k commented Oct 14, 2021

Sure:

           PID: 17558 (siege)
        Signal: 11 (SEGV)
  Command Line: siege -g http://###/
    Executable: /usr/bin/siege
       Message: Process 17558 (siege) of user 1000 dumped core.
                
                Stack trace of thread 17559:
                #0  0x00007fa89850b12d __strcasecmp_l_avx (libc.so.6 + 0x15d12d)
                #1  0x0000557c96fc1208 __get_h_a1.isra.0 (siege + 0x1e208)
                #2  0x0000557c96fb196e auth_get_digest_header.part.0 (siege + 0xe96e)
                #3  0x0000557c96fb48c9 http_get (siege + 0x118c9)
                #4  0x0000557c96fb7f95 __http (siege + 0x14f95)
                #5  0x0000557c96fb829c __http (siege + 0x1529c)
                #6  0x0000557c96fb8c12 start (siege + 0x15c12)
                #7  0x0000557c96faf191 crew_thread (siege + 0xc191)
                #8  0x00007fa89892b299 start_thread (libpthread.so.0 + 0x9299)
                #9  0x00007fa8984ae353 __clone (libc.so.6 + 0x100353)
                
                Stack trace of thread 17558:
                #0  0x00007fa898937a8a __futex_abstimed_wait_common64 (libpthread.so.0 + 0x15a8a)
                #1  0x00007fa89892c793 __pthread_clockjoin_ex (libpthread.so.0 + 0xa793)
                #2  0x0000557c96fabe31 main (siege + 0x8e31)
                #3  0x00007fa8983d5b75 __libc_start_main (libc.so.6 + 0x27b75)
                #4  0x0000557c96fad6fe _start (siege + 0xa6fe)
                
                Stack trace of thread 17560:
                #0  0x00007fa8983ec062 __sigtimedwait (libc.so.6 + 0x3e062)
                #1  0x00007fa89893555c sigwait (libpthread.so.0 + 0x1355c)
                #2  0x0000557c96fb0c4a sig_handler (siege + 0xdc4a)
                #3  0x00007fa89892b299 start_thread (libpthread.so.0 + 0x9299)
                #4  0x00007fa8984ae353 __clone (libc.so.6 + 0x100353)

@JoeDog
Copy link
Owner

JoeDog commented Oct 14, 2021 via email

@User65k
Copy link
Author

User65k commented Oct 14, 2021

No, but maybe the registers help?

(gdb) info registers
rax            0x15                21
rbx            0x7fa8900217b0      140361947289520
rcx            0x0                 0
rdx            0x7fa898572320      140362087080736
rsi            0x0                 0
rdi            0x557c96fc4215      93993597420053
rbp            0x0                 0x0
rsp            0x7fa89839d138      0x7fa89839d138
r8             0x7fa89001c450      140361947268176
r9             0x7fa89839eac0      140362085165760
r10            0x61669f3c          1634115388
r11            0x38                56
r12            0x7fa890022150      140361947291984
r13            0x7fa890021f40      140361947291456
r14            0x557c96fc5e43      93993597427267
r15            0x0                 0
rip            0x7fa89850b12d      0x7fa89850b12d <__strcasecmp_l_avx+73>
eflags         0x10283             [ CF SF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
(gdb) x/s 0x7fa8900217b0
0x7fa8900217b0: "0!\002\220\250\177"
(gdb) x/s 0x7fa898572320
0x7fa898572320 <_nl_global_locale>:     "\200\345V\230\250\177"
(gdb) x/s 0x557c96fc4215
0x557c96fc4215: "MD5"
(gdb) x/s 0x7fa89839d138
0x7fa89839d138: "\b\022\374\226|U"
(gdb) x/s 0x7fa89001c450
0x7fa89001c450: ", cnonce=\"EaC/dc9ZcKp5Tus4\""
(gdb) x/s 0x7fa89839eac0
0x7fa89839eac0: "/gal/"                                              (path)
(gdb) x/s 0x7fa890022150
0x7fa890022150: "gal"                                                (value from realm)
(gdb) x/s 0x7fa890021f40
0x7fa890021f40: "6166bb5c:a601090c793d6b7b20842485ba829f31"          (value from nonce)
(gdb) x/s 0x557c96fc5e43
0x557c96fc5e43: "\""

@User65k
Copy link
Author

User65k commented Oct 18, 2021

Seems like the algorithm key is missing and thats causing the seg vault

@JoeDog
Copy link
Owner

JoeDog commented Oct 18, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants