Buffer overflow in awhttpd (Re: Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS))

From: 3APA3A (3APA3Aat_private)
Date: Fri Jan 04 2002 - 04:54:09 PST

  • Next message: K.J.Muellerat_private: "AW: IE https certificate attack" 

    Hello 3APA3A,

OK, format string issue exists only in proposed patch... What about this
issue:

There  are (at least) 2 buffer overflows with heap corruption, tpbuf can
be  up  to  210  characters  while  getreqs[i] is malloc(100). Of cause,
target  file  should  exist...  tpbuf  is base dir concatenated with 100
bytes  of  user's  request.  It  does strips all ".." and "/.", but what
about "///////////" ?

simply try GET '/'x100 in few concurrent connections.


/* ---- So? Does all this mess find us the right file? 
        BTW - Check to make sure it isn't a directory... */
if ((doesfileexist(tpbuf)==1) && (isadir(tpbuf)==0)) {
               strcpy(getreqs[i],tpbuf); return 0;        }


...

/* ---- No? How 'bout this? */
if (tpbuf[strlen(tpbuf)-1]!=SLASH) strcat(tpbuf,"/");
strcat(tpbuf,INDEXFILE);
if (doesfileexist(tpbuf)==1) {
               strcpy(getreqs[i],tpbuf); return 0;        }


--Friday, January 04, 2002, 3:07:13 PM, you wrote to methodicat_private:

3> Hello methodic,

3> While  testing  a buffer overflow in you patch (tpbuf is only 210 bytes,
3> but  you're  lucky - getreqs[i] is only 100 bytes long :))) ) I've found
3> classical  exploitable  syslog()  format string in this extremely secure
3> product. Patch?

3> -  if (priority<=LOGLEVEL) syslog(tplev,buf);
3> +  if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);



3> void logthis(int priority, char *buf) {

3> /*
3>    Priority is 1-4, with 1 being the highest priority.
3>    1 - CRITICAL ERRORS
3>    2 - ERRORS
3>    3 - WARNINGS
3>    4 - DEBUG INFORMATION
3> */

3> #ifdef LOGLEVEL

3>   int tplev=0;

3>   if (priority==1) tplev=LOG_CRIT;
3>   if (priority==2) tplev=LOG_ERR;
3>   if (priority==3) tplev=LOG_WARNING;
3>   if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
3>                                          /var/messages by default, so... */

3>   if (priority<=LOGLEVEL) syslog(tplev,buf);

3> #endif

3> }


3> --Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraqat_private:

m>>                   - -- ------------------------- -- -
[>>>(]                 AngryPacket Security Advisory                 [>(]
m>>                   - -- ------------------------- -- -

m>> +--------------------- -- -
m>> + advisory information
m>> +------------------ -- -
m>> author:       methodic <methodicat_private>
m>> release date: 01/03/2002
m>> homepage:     http://sec.angrypacket.com
m>> advisory id:  0x0000

m>> +-------------------- -- -
m>> + product information
m>> +----------------- -- -
m>> software:     Anti-Web httpd (awhttpd)
m>> author:       HardCore Software
m>> homepage:     http://hardcoresoftware.cjb.net/awhttpd/
m>> description:
m>>      "Anti-Web httpd is a single-process Web server that relies on its
m>>       inherent simplicity to be robust, and secure."

m>> +---------------------- -- -
m>> + vulnerability details
m>> +------------------- -- -
m>> problem:      local denial-of-service
m>> affected:     awhttpd 2.2 and perhaps earlier versions
m>> explaination: any local user with write access to awhttpd's html
m>>               directory can crash the daemon by crafting a special
m>>               script which is parsed by awhttpd's scripting engine
m>>               (which is enabled by default). the offending code
m>>               exists on line 29 of misc.c:

m>>               if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m>>               a sample awhttpd script looks like this:
m>>               # test.cgi
m>>               --AWHTTPD SCRIPT--
m>>               echo "this is a test"
m>>               F:test.html

m>>               the problem is if test.html doesn't exist in the html
m>>               directory, then awhttpd will crash on the fclose();
m>> status:       vendor was notified
m>> exploit:      see above
m>> fix:          apply the patches below or disable the scripting engine by
m>>               editing config.h in the root source directory of awhttpd.

m>> =====[ begin cut here ]=====
m>> --- misc.c.orig Wed Jan  2 16:22:24 2002
m>> +++ misc.c      Wed Jan  2 16:26:37 2002
m>> @@ -26,7 +26,7 @@
 
m>>  void discon(int i) {
m>>    close(infd[i]);
m>> -  if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m>> +  if (filefd[i]!= NULL) fclose(filefd[i]);
m>>    if (sending[i]>0) numofusers--;
m>>    sending[i]=0;
m>>    getreqs[i][0]=0;
m>> =====[ end of misc.c patch ]=====

m>> =====[ begin cut here ]=====
m>> --- procscrpt.c.orig    Wed Jan  2 16:27:33 2002
m>> +++ procscrpt.c Wed Jan  2 16:51:47 2002
m>> @@ -38,6 +38,12 @@
m>>    sending[i]=1;
m>>    strcpy(getreqs[i],tpbuf+2);
m>>    stripcrlf(getreqs[i]);
m>> +  if(doesfileexist(getreqs[i]) == 0) {
m>> +       strcpy(tpbuf, "Error: cannot locate ");
m>> +       strncat(tpbuf, getreqs[i], 256);
m>> +       strcat(tpbuf, " for reading!\n");
m>> +       logthis(3, tpbuf);
m>> +  }
m>>    fclose(filefd[i]);
m>>  } else if (tpbuf[0]==0) {
m>>    discon(i);
m>> =====[ end of procscrpt.c patch ]=====

m>> +-------- -- -
m>> + credits
m>> +----- -- -
m>> Bug was found by methodic of AngryPacket security group.
m>> Patches by methodic.

m>> +----------- -- -
m>> + disclaimer
m>> +-------- -- -
m>> The contents of this advisory are Copyright (c) 2002 AngryPacket
m>> Security, and may be distributed freely provided that no fee is charged
m>> for distribution and that proper credit is given. As such, AngryPacket
m>> Security group, collectively or individually, shall not be held liable
m>> or responsible for the misuse of any information contained herein.

m>>                   - -- ------------------------- -- -
[>>>(]                 AngryPacket Security Advisory                 [>(]
m>>                   - -- ------------------------- -- -




-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)

    This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 18:29:58 PST