Search...

thttpd 2.2x - defang Remote Buffer Overflow (PoC)

2003-10-27T00:00:00

ID EXPLOITPACK:F3F4BAFF9C0E126129A60A7076C8BCE3
Type exploitpack
Reporter Joel Soderberg
Modified 2003-10-27T00:00:00

Description

thttpd 2.2x - defang Remote Buffer Overflow (PoC)

                                        
                                            /*
source: https://www.securityfocus.com/bid/8906/info

A vulnerability has been reported in thttpd that may allow a remote attacker to execute arbitrary code on vulnerable host. The issue is reported to exist due to a lack of bounds checking by software, leading to a buffer overflow condition. The problem is reported to exist in the defang() function in libhttpd.c.

This issue may allow an attacker to gain unauthorized access to a vulnerable host. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system.

thttpd versions 2.21 to 2.23b1 have been reported to be prone to this issue, however other versions may be affected as well. 
*/

static void
defang( char* str, char* dfstr, int dfsize )
{
    char* cp1;
    char* cp2;

    for ( cp1 = str, cp2 = dfstr;
   *cp1 != '\0' && cp2 - dfstr &lt; dfsize - 1;
   ++cp1, ++cp2 )
     {
     switch ( *cp1 )
         {
         case '&lt;':
         *cp2++ = '&';
         *cp2++ = 'l';
         *cp2++ = 't';
         *cp2 = ';';
         break;
         case '&gt;':
         *cp2++ = '&';
         *cp2++ = 'g';
         *cp2++ = 't';
         *cp2 = ';';
         break;
         default:
         *cp2 = *cp1;
         break;
         }
     }
    *cp2 = '\0';
}

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:06:08", "references": [], "description": "\nthttpd 2.2x - defang Remote Buffer Overflow (PoC)", "edition": 1, "reporter": "Joel Soderberg", "exploitpack": {"type": "dos", "platform": "linux"}, "published": "2003-10-27T00:00:00", "title": "thttpd 2.2x - defang Remote Buffer Overflow (PoC)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:06:08", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2020-04-01T19:06:08", "rev": 2}, "vulnersScore": 0.7}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2003-10-27T00:00:00", "id": "EXPLOITPACK:F3F4BAFF9C0E126129A60A7076C8BCE3", "href": "", "viewCount": 1, "sourceData": "/*\nsource: https://www.securityfocus.com/bid/8906/info\n\nA vulnerability has been reported in thttpd that may allow a remote attacker to execute arbitrary code on vulnerable host. The issue is reported to exist due to a lack of bounds checking by software, leading to a buffer overflow condition. The problem is reported to exist in the defang() function in libhttpd.c.\n\nThis issue may allow an attacker to gain unauthorized access to a vulnerable host. Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the web server in order to gain unauthorized access to a vulnerable system.\n\nthttpd versions 2.21 to 2.23b1 have been reported to be prone to this issue, however other versions may be affected as well. \n*/\n\nstatic void\ndefang( char* str, char* dfstr, int dfsize )\n{\n char* cp1;\n char* cp2;\n\n for ( cp1 = str, cp2 = dfstr;\n *cp1 != '\\0' && cp2 - dfstr < dfsize - 1;\n ++cp1, ++cp2 )\n {\n switch ( *cp1 )\n {\n case '<':\n *cp2++ = '&';\n *cp2++ = 'l';\n *cp2++ = 't';\n *cp2 = ';';\n break;\n case '>':\n *cp2++ = '&';\n *cp2++ = 'g';\n *cp2++ = 't';\n *cp2 = ';';\n break;\n default:\n *cp2 = *cp1;\n break;\n }\n }\n *cp2 = '\\0';\n}", "cvss": {"score": 0.0, "vector": "NONE"}}