Multiple vulnerabilities in atphttpd-0.4b

From: qitest1 (qitest1at_private)
Date: Fri Jul 12 2002 - 08:20:47 PDT

  • Next message: Matthew Murphy: "MFC ISAPI Framework Buffer Overflow" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		QITEST1 SECURITY ADVISORY #004

Multiple vulnerabilities in atphttpd-0.4b

PROGRAM DESCRIPTION
atphttpd is a caching, tiny - and buggy - webserver written by Yann
Ramin <atrusat_private>.

DETAILS
There are several remotely exploitable flaws in the source code: 
regular buffer overflows and an off-by-one buffer overflow.
An attacker would gain privileges of the user running atphttpd.

SOLUTION
Author was contacted, but he was not reachable. The following patch
should fix these bugs.

==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c	Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c	Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
     (void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title );
     sock_puts(hc[listnum].socket, buffer);
 
- -    (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
+    snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text);
     sock_puts(hc[listnum].socket, buffer);
 
     (void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c	Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c	Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
          }
  }
 
- - void deal_with_data(int listnum) {
- -         char buffer[MAX_BUFFER];     /* Buffer for socket reads */
- -//         char *cur_char;      /* Used in processing buffer */
- -         char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- -         if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+	char buffer[MAX_BUFFER];
+	char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
 
+	if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
                  close(hc[listnum].socket);
                  hc[listnum].socket = 0;
          } else {
@@ -155,7 +153,7 @@
 								*                                                              *
 								* Right now it is very dumb, and only checks for a get header   *
 								* Improvements? */
- -                 sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+		sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
                  if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {
 										strcpy(hc[listnum].path, path);
 										
==8< atphttpd-0.4b.patch 8<==

  --    -------------------------------------------
  ---- q1--    ----------------------------------------
  --    -------------------------------------------
  Web: http://bespin.org/~qitest1
  GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
  - --------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9LtQ/IrsshIyVmPkRAvrcAJ4pmxndYZKUhhz8kgTyY3gJ1gvoWQCgk3mh
pnhu3Y3K7gzgiroXxvvjKF4=
=cnA0
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 12:24:58 PDT