Hello 3APA3A,
OK, format string issue exists only in proposed patch... What about this
issue:
There are (at least) 2 buffer overflows with heap corruption, tpbuf can
be up to 210 characters while getreqs[i] is malloc(100). Of cause,
target file should exist... tpbuf is base dir concatenated with 100
bytes of user's request. It does strips all ".." and "/.", but what
about "///////////" ?
simply try GET '/'x100 in few concurrent connections.
/* ---- So? Does all this mess find us the right file?
BTW - Check to make sure it isn't a directory... */
if ((doesfileexist(tpbuf)==1) && (isadir(tpbuf)==0)) {
strcpy(getreqs[i],tpbuf); return 0; }
...
/* ---- No? How 'bout this? */
if (tpbuf[strlen(tpbuf)-1]!=SLASH) strcat(tpbuf,"/");
strcat(tpbuf,INDEXFILE);
if (doesfileexist(tpbuf)==1) {
strcpy(getreqs[i],tpbuf); return 0; }
--Friday, January 04, 2002, 3:07:13 PM, you wrote to methodic@slartibartfast.angrypacket.com:
3> Hello methodic,
3> While testing a buffer overflow in you patch (tpbuf is only 210 bytes,
3> but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found
3> classical exploitable syslog() format string in this extremely secure
3> product. Patch?
3> - if (priority<=LOGLEVEL) syslog(tplev,buf);
3> + if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);
3> void logthis(int priority, char *buf) {
3> /*
3> Priority is 1-4, with 1 being the highest priority.
3> 1 - CRITICAL ERRORS
3> 2 - ERRORS
3> 3 - WARNINGS
3> 4 - DEBUG INFORMATION
3> */
3> #ifdef LOGLEVEL
3> int tplev=0;
3> if (priority==1) tplev=LOG_CRIT;
3> if (priority==2) tplev=LOG_ERR;
3> if (priority==3) tplev=LOG_WARNING;
3> if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
3> /var/messages by default, so... */
3> if (priority<=LOGLEVEL) syslog(tplev,buf);
3> #endif
3> }
3> --Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraq@securityfocus.com:
m>> - -- ------------------------- -- -
[>>>(] AngryPacket Security Advisory [>(]
m>> - -- ------------------------- -- -
m>> +--------------------- -- -
m>> + advisory information
m>> +------------------ -- -
m>> author: methodic <methodic@slartibartfast.angrypacket.com>
m>> release date: 01/03/2002
m>> homepage: http://sec.angrypacket.com
m>> advisory id: 0x0000
m>> +-------------------- -- -
m>> + product information
m>> +----------------- -- -
m>> software: Anti-Web httpd (awhttpd)
m>> author: HardCore Software
m>> homepage: http://hardcoresoftware.cjb.net/awhttpd/
m>> description:
m>> "Anti-Web httpd is a single-process Web server that relies on its
m>> inherent simplicity to be robust, and secure."
m>> +---------------------- -- -
m>> + vulnerability details
m>> +------------------- -- -
m>> problem: local denial-of-service
m>> affected: awhttpd 2.2 and perhaps earlier versions
m>> explaination: any local user with write access to awhttpd's html
m>> directory can crash the daemon by crafting a special
m>> script which is parsed by awhttpd's scripting engine
m>> (which is enabled by default). the offending code
m>> exists on line 29 of misc.c:
m>> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m>> a sample awhttpd script looks like this:
m>> # test.cgi
m>> --AWHTTPD SCRIPT--
m>> echo "this is a test"
m>> F:test.html
m>> the problem is if test.html doesn't exist in the html
m>> directory, then awhttpd will crash on the fclose();
m>> status: vendor was notified
m>> exploit: see above
m>> fix: apply the patches below or disable the scripting engine by
m>> editing config.h in the root source directory of awhttpd.
m>> =====[ begin cut here ]=====
m>> --- misc.c.orig Wed Jan 2 16:22:24 2002
m>> +++ misc.c Wed Jan 2 16:26:37 2002
m>> @@ -26,7 +26,7 @@
m>> void discon(int i) {
m>> close(infd[i]);
m>> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m>> + if (filefd[i]!= NULL) fclose(filefd[i]);
m>> if (sending[i]>0) numofusers--;
m>> sending[i]=0;
m>> getreqs[i][0]=0;
m>> =====[ end of misc.c patch ]=====
m>> =====[ begin cut here ]=====
m>> --- procscrpt.c.orig Wed Jan 2 16:27:33 2002
m>> +++ procscrpt.c Wed Jan 2 16:51:47 2002
m>> @@ -38,6 +38,12 @@
m>> sending[i]=1;
m>> strcpy(getreqs[i],tpbuf+2);
m>> stripcrlf(getreqs[i]);
m>> + if(doesfileexist(getreqs[i]) == 0) {
m>> + strcpy(tpbuf, "Error: cannot locate ");
m>> + strncat(tpbuf, getreqs[i], 256);
m>> + strcat(tpbuf, " for reading!\n");
m>> + logthis(3, tpbuf);
m>> + }
m>> fclose(filefd[i]);
m>> } else if (tpbuf[0]==0) {
m>> discon(i);
m>> =====[ end of procscrpt.c patch ]=====
m>> +-------- -- -
m>> + credits
m>> +----- -- -
m>> Bug was found by methodic of AngryPacket security group.
m>> Patches by methodic.
m>> +----------- -- -
m>> + disclaimer
m>> +-------- -- -
m>> The contents of this advisory are Copyright (c) 2002 AngryPacket
m>> Security, and may be distributed freely provided that no fee is charged
m>> for distribution and that proper credit is given. As such, AngryPacket
m>> Security group, collectively or individually, shall not be held liable
m>> or responsible for the misuse of any information contained herein.
m>> - -- ------------------------- -- -
[>>>(] AngryPacket Security Advisory [>(]
m>> - -- ------------------------- -- -
--
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)
