Hello, I can confirm the buffer overflow in htpasswd of apache 1.3.33, for which Luiz Fernando has written a PoC. ... On Fri, 29 Oct 2004, Larry Cashdollar wrote: > This was posted on the full-disclosure list sept 16 2004 by > Luiz Fernando. > > http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html [...] > It is still vulnerable. But Larrys patch "fixes" a lot of peaces of code, which aren't vulnerable in my oppinion. A closer look shows, that the calls to strcpy are protected by if-statements, which prevent a exploitation. Its just one place where a closing brace ('}') is at the wrong position. ;-) So, instead of this ... > root@bokchoy:~/tes/apache_1.3.33/src/support# diff -uN htpasswd.orig.c > htpasswd.c > --- htpasswd.orig.c 2004-10-28 18:20:13.000000000 -0400 > +++ htpasswd.c 2004-10-28 18:17:25.000000000 -0400 > @@ -202,9 +202,9 @@ > ap_cpystrn(record, "resultant record too long", (rlen - 1)); > return ERR_OVERFLOW; > } > - strcpy(record, user); > + strncpy(record, user,MAX_STRING_LEN - 1); > strcat(record, ":"); > - strcat(record, cpw); > + strncat(record, cpw,MAX_STRING_LEN - 1); > return 0; > } > > @@ -410,14 +410,14 @@ > fprintf(stderr, "%s: filename too long\n", argv[0]); > return ERR_OVERFLOW; > } > - strcpy(pwfilename, argv[i]); > + strncpy(pwfilename, argv[i], MAX_STRING_LEN-1); > if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { > fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], > (unsigned long)(sizeof(user) - 1)); > return ERR_OVERFLOW; > } > } > - strcpy(user, argv[i + 1]); > + strncpy(user, argv[i + 1],MAX_STRING_LEN-1); > if ((arg = strchr(user, ':')) != NULL) { > fprintf(stderr, "%s: username contains illegal character > '%c'\n", > argv[0], *arg); > @@ -429,7 +429,7 @@ > (unsigned long)(sizeof(password) - 1)); > return ERR_OVERFLOW; > } > - strcpy(password, argv[i + 2]); > + strncpy(password, argv[i + 2],MAX_STRING_LEN - 1 ); > } > > #ifdef WIN32 > @@ -553,7 +553,7 @@ > putline(ftemp, line); > continue; > } > - strcpy(scratch, line); > + strncpy(scratch, line,MAX_STRING_LEN -1); > /* > * See if this is our user. > */ ... I suggest the following shorter one, which will give us also a correct error message instead of eventually filling htpasswd with "short" entries: | --- src/support/htpasswd.c.orig Fri Feb 20 23:02:24 2004 | +++ src/support/htpasswd.c Fri Oct 29 21:13:36 2004 | @@ -411,11 +411,11 @@ | return ERR_OVERFLOW; | } | strcpy(pwfilename, argv[i]); |- if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { |- fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], |- (unsigned long)(sizeof(user) - 1)); |- return ERR_OVERFLOW; |- } |+ } |+ if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { |+ fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], |+ (unsigned long)(sizeof(user) - 1)); |+ return ERR_OVERFLOW; | } | strcpy(user, argv[i + 1]); | if ((arg = strchr(user, ':')) != NULL) { This bug exists in 1.3.31, 1.3.32 and 1.3.33. I didn't test other versions. As I don't find a entry in the bug database, I reported that bug to the apache httpd people. The Bug ID is #31975. Yours, Michi. ---------------------------------------------------------------------------- Michael Engert michi@xxxxxxxxxx 80337 München
