Hello methodic,
While testing a buffer overflow in you patch (tpbuf is only 210 bytes,
but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found
classical exploitable syslog() format string in this extremely secure
product. Patch?
- if (priority<=LOGLEVEL) syslog(tplev,buf);
+ if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);
void logthis(int priority, char *buf) {
/*
Priority is 1-4, with 1 being the highest priority.
1 - CRITICAL ERRORS
2 - ERRORS
3 - WARNINGS
4 - DEBUG INFORMATION
*/
#ifdef LOGLEVEL
int tplev=0;
if (priority==1) tplev=LOG_CRIT;
if (priority==2) tplev=LOG_ERR;
if (priority==3) tplev=LOG_WARNING;
if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
/var/messages by default, so... */
if (priority<=LOGLEVEL) syslog(tplev,buf);
#endif
}
--Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraq@securityfocus.com:
m> - -- ------------------------- -- -
[>>(] AngryPacket Security Advisory [>(]
m> - -- ------------------------- -- -
m> +--------------------- -- -
m> + advisory information
m> +------------------ -- -
m> author: methodic <methodic@slartibartfast.angrypacket.com>
m> release date: 01/03/2002
m> homepage: http://sec.angrypacket.com
m> advisory id: 0x0000
m> +-------------------- -- -
m> + product information
m> +----------------- -- -
m> software: Anti-Web httpd (awhttpd)
m> author: HardCore Software
m> homepage: http://hardcoresoftware.cjb.net/awhttpd/
m> description:
m> "Anti-Web httpd is a single-process Web server that relies on its
m> inherent simplicity to be robust, and secure."
m> +---------------------- -- -
m> + vulnerability details
m> +------------------- -- -
m> problem: local denial-of-service
m> affected: awhttpd 2.2 and perhaps earlier versions
m> explaination: any local user with write access to awhttpd's html
m> directory can crash the daemon by crafting a special
m> script which is parsed by awhttpd's scripting engine
m> (which is enabled by default). the offending code
m> exists on line 29 of misc.c:
m> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m> a sample awhttpd script looks like this:
m> # test.cgi
m> --AWHTTPD SCRIPT--
m> echo "this is a test"
m> F:test.html
m> the problem is if test.html doesn't exist in the html
m> directory, then awhttpd will crash on the fclose();
m> status: vendor was notified
m> exploit: see above
m> fix: apply the patches below or disable the scripting engine by
m> editing config.h in the root source directory of awhttpd.
m> =====[ begin cut here ]=====
m> --- misc.c.orig Wed Jan 2 16:22:24 2002
m> +++ misc.c Wed Jan 2 16:26:37 2002
m> @@ -26,7 +26,7 @@
m> void discon(int i) {
m> close(infd[i]);
m> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m> + if (filefd[i]!= NULL) fclose(filefd[i]);
m> if (sending[i]>0) numofusers--;
m> sending[i]=0;
m> getreqs[i][0]=0;
m> =====[ end of misc.c patch ]=====
m> =====[ begin cut here ]=====
m> --- procscrpt.c.orig Wed Jan 2 16:27:33 2002
m> +++ procscrpt.c Wed Jan 2 16:51:47 2002
m> @@ -38,6 +38,12 @@
m> sending[i]=1;
m> strcpy(getreqs[i],tpbuf+2);
m> stripcrlf(getreqs[i]);
m> + if(doesfileexist(getreqs[i]) == 0) {
m> + strcpy(tpbuf, "Error: cannot locate ");
m> + strncat(tpbuf, getreqs[i], 256);
m> + strcat(tpbuf, " for reading!\n");
m> + logthis(3, tpbuf);
m> + }
m> fclose(filefd[i]);
m> } else if (tpbuf[0]==0) {
m> discon(i);
m> =====[ end of procscrpt.c patch ]=====
m> +-------- -- -
m> + credits
m> +----- -- -
m> Bug was found by methodic of AngryPacket security group.
m> Patches by methodic.
m> +----------- -- -
m> + disclaimer
m> +-------- -- -
m> The contents of this advisory are Copyright (c) 2002 AngryPacket
m> Security, and may be distributed freely provided that no fee is charged
m> for distribution and that proper credit is given. As such, AngryPacket
m> Security group, collectively or individually, shall not be held liable
m> or responsible for the misuse of any information contained herein.
m> - -- ------------------------- -- -
[>>(] AngryPacket Security Advisory [>(]
m> - -- ------------------------- -- -
--
~/ZARAZA
Вечная память святому Патрику! (Твен)
