ID PACKETSTORM:23590 Type packetstorm Reporter PrOtOn Modified 2000-11-14T00:00:00
Description
`PROBLEM:
...
main(int argc, char *argv[]) {
entry entries[64];
...
for(x=0;cl[0] != '\0';x++) {
m=x;
getword(entries[x].val,cl,'&');
plustospace(entries[x].val);
unescape_url(entries[x].val);
getword(entries[x].name,entries[x].val,'=');
}
...
The `for' loop does not verify that x is less than 64.
The `entries' struct being a flat data type will cause
any data written into the 64th entry to overwrite the
return pointer, allowing malicious code to be executed.
I have a working exploit for Linux/ix86 that I /may/ post to
bugtraq when system administrators has had a chance to
fix their servers.
Yes, I know phf is an old script but it is still fairly common.
This bug is unrelated to the bad chars filter problem that
is the best known vulnerability of phf.
VULNERABLE VERSIONS:
All known versions of phf (patched and unpatched)
(excluding fakes, ofcourse)
TO FIX:
Locate and DELETE all versions of phf.
Do NOT rename the executable, crackers might discover the
new name and exploit it (this is not uncommon).
/proton
`
{"sourceHref": "https://packetstormsecurity.com/files/download/23590/new.phf.txt", "sourceData": "`PROBLEM: \n \n... \n \nmain(int argc, char *argv[]) { \nentry entries[64]; \n \n... \n \nfor(x=0;cl[0] != '\\0';x++) { \nm=x; \ngetword(entries[x].val,cl,'&'); \nplustospace(entries[x].val); \nunescape_url(entries[x].val); \ngetword(entries[x].name,entries[x].val,'='); \n} \n \n... \n \nThe `for' loop does not verify that x is less than 64. \nThe `entries' struct being a flat data type will cause \nany data written into the 64th entry to overwrite the \nreturn pointer, allowing malicious code to be executed. \n \nI have a working exploit for Linux/ix86 that I /may/ post to \nbugtraq when system administrators has had a chance to \nfix their servers. \n \nYes, I know phf is an old script but it is still fairly common. \n \nThis bug is unrelated to the bad chars filter problem that \nis the best known vulnerability of phf. \n \nVULNERABLE VERSIONS: \n \nAll known versions of phf (patched and unpatched) \n(excluding fakes, ofcourse) \n \nTO FIX: \n \nLocate and DELETE all versions of phf. \nDo NOT rename the executable, crackers might discover the \nnew name and exploit it (this is not uncommon). \n \n/proton \n`\n", "edition": 1, "references": [], "modified": "2000-11-14T00:00:00", "hash": "b5f23c15cae3604d824bfe4d3b34455c739acfadbdffe41c98a9ada6ed153766", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/23590/new.phf.txt.html", "description": "", "id": "PACKETSTORM:23590", "reporter": "PrOtOn", "lastseen": "2016-11-03T10:19:53", "published": "2000-11-14T00:00:00", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2016-11-03T10:19:53"}, "dependencies": {"references": [], "modified": "2016-11-03T10:19:53"}, "vulnersScore": -0.0}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "new.phf.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "74bf343b8a30f618decd67ad94f54b7d", "key": "href"}, {"hash": "de1712b718be48797984456ccbb1aac8", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "de1712b718be48797984456ccbb1aac8", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "49fa0ff998e8205ed8dfdead38d3238e", "key": "reporter"}, {"hash": "af739ecb041ad12fb8a281a3ac8f9b75", "key": "sourceData"}, {"hash": "f140b5194a51a030dd033ab5e96d2768", "key": "sourceHref"}, {"hash": "ae203f804f980cddc6a53415a5b15bd6", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}
