RejectedSoftware Forums

Sign up

Trying to append absolute path error , w00tw00t attack and vibe.d app

avatar
Yiannis Tsirikoglou
Posted Mon, 23 Jun 2014 18:13:31 GMT
Reply

I have a test application running on an Amazon EC2 with nginx.

I got this error and the app crashed. 

Path 'w00tw00t.at.blackhats.romanian.anti-sec:)' -> '/w00tw00t.at.blackhats.roma
nian.anti-sec:)'
Task terminated with unhandled exception: Trying to append absolute path.
Full error: core.exception.AssertError@../../../../root/.dub/packages/vibe-d-mas
ter/source/vibe/inet/path.d(186): Trying to append absolute path.
----------------
./my-app(_d_assert_msg+0x45) [0x9835c5]
./my-app(const(vibe.inet.path.Path function(const(vibe.inet.path.Path))
) vibe.inet.path.Path.opBinary!("~").opBinary+0x9e) [0x949a72]
./my-app(void vibe.http.fileserver.serveStaticFiles(vibe.inet.path.Path
, vibe.http.fileserver.HTTPFileServerSettings).callback(vibe.http.server.HTTPSer
verRequest, vibe.http.server.HTTPServerResponse)+0x2bf) [0x93d163]
./my-app(void vibe.http.router.URLRouter.handleRequest(vibe.http.server
.HTTPServerRequest, vibe.http.server.HTTPServerResponse).void __lambda3!(ulong, 
immutable(char)[][]).__lambda3(ulong, scope immutable(char)[][])+0x1dc) [0x8c1d7
8]
./my-app(void vibe.http.router.MatchTree!(vibe.http.router.Route).Match
Tree.match(immutable(char)[], scope void delegate(ulong, scope immutable(char)[]
[]))+0x1dc) [0x8c23b8]
./my-app(void vibe.http.router.URLRouter.handleRequest(vibe.http.server
.HTTPServerRequest, vibe.http.server.HTTPServerResponse)+0x1ad) [0x8c1b39]
./my-app(bool vibe.http.server.handleRequest(vibe.core.stream.Stream, v
ibe.core.net.TCPConnection, vibe.http.server.HTTPServerListener, ref vibe.http.s
erver.HTTPServerSettings, ref bool)+0x1654) [0x942480]
./my-app(void vibe.http.server.handleHTTPConnection(vibe.core.net.TCPCo
nnection, vibe.http.server.HTTPServerListener)+0x1a3) [0x940d4b]
./my-app(void vibe.http.server.listenHTTPPlain(vibe.http.server.HTTPSer
verSettings).doListen(vibe.http.server.HTTPServerSettings, vibe.http.server.HTTP
ServerListener, immutable(char)[]).__lambda4(vibe.core.net.TCPConnection)+0x2c) 
[0x940a38]
./my-app(void vibe.core.drivers.libevent2_tcp.onConnect(int, short, voi
d*).ClientTask.execute()+0x328) [0x88f2a8]
./my-app(_D4vibe4core4core12__T7runTaskZ7runTaskFDFZvZS4vibe4core4task4
Task12callDelegateFC4vibe4core4core8CoreTaskZv+0x2b) [0x87c1f3]
./my-app(void vibe.core.core.CoreTask.run()+0x146) [0x8786aa]
./my-app(void core.thread.Fiber.run()+0x2a) [0x9c1dda]
./my-app(fiber_entryPoint+0x61) [0x9c1ce5]
[(nil)]
Segmentation fault (core dumped)

I think this w00tw00t kind of attack contains a GET request without a host.

Additionally how can somebody be notified when an app is crashing on the server? Could it be programmed in the vibe.d app itself or by using another application or script?

Thanks.

Re: Trying to append absolute path error , w00tw00t attack and vibe.d app

avatar
Sönke Ludwig
Posted Tue, 24 Jun 2014 09:39:40 GMT in reply to Yiannis Tsirikoglou
Reply

On Mon, 23 Jun 2014 18:13:31 GMT, Yiannis Tsirikoglou wrote:

I have a test application running on an Amazon EC2 with nginx.

I got this error and the app crashed. 

Path 'w00tw00t.at.blackhats.romanian.anti-sec:)' -> '/w00tw00t.at.blackhats.roma
nian.anti-sec:)'
Task terminated with unhandled exception: Trying to append absolute path.
Full error: core.exception.AssertError@../../../../root/.dub/packages/vibe-d-mas
ter/source/vibe/inet/path.d(186): Trying to append absolute path.
(...)
Segmentation fault (core dumped)

I think this w00tw00t kind of attack contains a GET request without a host.

Recently, assertion handling has been changed to let the application terminate by default. You can define a version VibeDebugCatchAll (see also http://vibed.org/docs#compile-time-configuration) to let vibe.d catch and gracefully handle them. But this isn't recommended for production sites, as it may leave the application in an undefined state or could result in resource/memory leaks.

However, due to this change it has become obvious that there is an explicit input validation check missing. I'll commit a fix.

Additionally how can somebody be notified when an app is crashing on the server? Could it be programmed in the vibe.d app itself or by using another application or script?

You could define your own main() and then add a try { ... } catch (Throwable) { ... } around runEventLoop() and then invoke an external process for sending a mail (assuming that the program state is corrupted at this point). Alternatively, it may make more sense to write a little shell script that continuously runs the application and pipes the stdout/stderr streams to a file. Whenever the application has terminated, it would then mail the last tail -n ... lines of that file for examination. This is about how I do it for this site.

Re: Trying to append absolute path error , w00tw00t attack and vibe.d app

avatar
Sönke Ludwig
Posted Tue, 24 Jun 2014 09:53:47 GMT in reply to Yiannis Tsirikoglou
Reply

Upon taking a closer look, it seems like this case is already caught. Which version of vibe.d are you using?

For GET w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.0 I get: 

[160120F8:1601DDF8 dbg] path 'w00tw00t.at.blackhats.romanian.anti-sec:)' not starting with '/'
[160120F8:1601DDF8 dbg] no route match: GET w00tw00t.at.blackhats.romanian.anti-sec:)
[160120F8:1601DDF8 dia] No response written for w00tw00t.at.blackhats.romanian.anti-sec:)

And for GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.0: 

[160120F8:1601DDF8 dbg] Path 'w00tw00t.at.blackhats.romanian.anti-sec:)' -> '/w00tw00t.at.blackhats.romanian.anti-sec:)'
[160120F8:1601DDF8 dbg] Path is absolute, not responding
[160120F8:1601DDF8 dbg] no route match: GET /w00tw00t.at.blackhats.romanian.anti-sec:)
[160120F8:1601DDF8 dia] No response written for /w00tw00t.at.blackhats.romanian.anti-sec:)

Re: Trying to append absolute path error , w00tw00t attack and vibe.d app

avatar
Yiannis Tsirikoglou
Posted Tue, 24 Jun 2014 12:02:22 GMT in reply to Sönke Ludwig
Reply

On Tue, 24 Jun 2014 09:53:47 GMT, Sönke Ludwig wrote:

Upon taking a closer look, it seems like this case is already caught. Which version of vibe.d are you using?

Indeed that application was compiled with an older version of vibe.d. I will update it and report again if i have any issue. Thanks.