Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)

2001-06-18T00:00:00
ID SECURITYVULNS:DOC:1729
Type securityvulns
Reporter Securityvulns
Modified 2001-06-18T00:00:00

Description

/ qitest1's security advisory #002 /

Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)

+Systems Affected Any system running GazTek HTTP Daemon v1.4 (ghttpd)

+Program Description ghttpd is a small and easy to configure HTTP server with CGI support, tested on Linux. It can run as a standalone daemon or can be called by inetd. It has been written by Gareth Owen <gaz@athene.co.uk>, http://members.xoom.com/gaztek.

+Vulnerability And Impact A remote attacker can overflow a buffer and execute arbitrary code on the system with the privileges of the user running ghttpd, that is nobody, as all the privileges are dropped out. Infact in util.c at line 219 we have: va_start(ap, format); // format it all into temp vsprintf(temp, format, ap); va_end(ap);

+Solution The author was contacted but he did not answered. Apply a patch to the source code of the daemon or remove it from your system.

+Exploit This bug can be succesfully exploited by a remote attacker. There is a demonstrative exploit code attached to this advisory. See the code for more info.

-- / qitest1 http://qitest1.cjb.net * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} /