BOOZT! is a banner management software for linux servers. It has a remote
administration system based on web. I played with version 0.9.8alpha.
Here is a reproduction of the bug:
http://127.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1
Fill the "Name Field" with enough A's (770 was be fine for me). Press "Create
New Banner". It should show this:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Let's see what happened in error_log:
[Tue Feb 5 17:13:52 2002] [error] [client 127.0.0.1] Premature end of script
headers: /usr/local/apache/cgi-bin/boozt/admin/index.cgi
Now see what the code for the AdministrationBanners function
(src/admin/banners.c) looks like:
char name[255]="";
[...]
if ((pomus=(char *)GetFromCgi("name"))==NULL) strcpy(name,"");
else strcpy(name,pomus);
There is no boundary checking in GetFromCgi:
#define GetFromCgi(name) cgiParam(name)
const char *cgiParam(const char *name)
{
return cgiPosParam((CgiPos*)listGetByName(name));
}
const char *cgiPosParam(CgiPos *where)
{
CgiElement *w=(CgiElement*)where;
DefCheck(NULL);
[ ... code to walk over the linked list ... ]
}
This way we can write A's (or shellcode) beyond the boundaries of the "name"
variable, making the cgi crash (or give us a shell with httpd privileges).
Rafael San Miguel
Carrasco
rsanmcarat_private
This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 17:02:43 PST