Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS)

2002-01-04T00:00:00
ID SECURITYVULNS:DOC:2328
Type securityvulns
Reporter Securityvulns
Modified 2002-01-04T00:00:00

Description

Hello methodic,

While testing a buffer overflow in you patch (tpbuf is only 210 bytes, but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found classical exploitable syslog() format string in this extremely secure product. Patch?

  • if (priority<=LOGLEVEL) syslog(tplev,buf);
  • if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);

void logthis(int priority, char *buf) {

/ Priority is 1-4, with 1 being the highest priority. 1 - CRITICAL ERRORS 2 - ERRORS 3 - WARNINGS 4 - DEBUG INFORMATION /

ifdef LOGLEVEL

int tplev=0;

if (priority==1) tplev=LOG_CRIT; if (priority==2) tplev=LOG_ERR; if (priority==3) tplev=LOG_WARNING; if (priority==4) tplev=LOG_WARNING; / LOG_DEBUG Doesn't show up in /var/messages by default, so... /

if (priority<=LOGLEVEL) syslog(tplev,buf);

endif

}

--Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraq@securityfocus.com:

m> - -- ------------------------- -- - [>>(] AngryPacket Security Advisory [>(] m> - -- ------------------------- -- -

m> +--------------------- -- - m> + advisory information m> +------------------ -- - m> author: methodic <methodic@slartibartfast.angrypacket.com> m> release date: 01/03/2002 m> homepage: http://sec.angrypacket.com m> advisory id: 0x0000

m> +-------------------- -- - m> + product information m> +----------------- -- - m> software: Anti-Web httpd (awhttpd) m> author: HardCore Software m> homepage: http://hardcoresoftware.cjb.net/awhttpd/ m> description: m> "Anti-Web httpd is a single-process Web server that relies on its m> inherent simplicity to be robust, and secure."

m> +---------------------- -- - m> + vulnerability details m> +------------------- -- - m> problem: local denial-of-service m> affected: awhttpd 2.2 and perhaps earlier versions m> explaination: any local user with write access to awhttpd's html m> directory can crash the daemon by crafting a special m> script which is parsed by awhttpd's scripting engine m> (which is enabled by default). the offending code m> exists on line 29 of misc.c:

m> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m> a sample awhttpd script looks like this: m> # test.cgi m> --AWHTTPD SCRIPT-- m> echo "this is a test" m> F:test.html

m> the problem is if test.html doesn't exist in the html m> directory, then awhttpd will crash on the fclose(); m> status: vendor was notified m> exploit: see above m> fix: apply the patches below or disable the scripting engine by m> editing config.h in the root source directory of awhttpd.

m> =====[ begin cut here ]===== m> --- misc.c.orig Wed Jan 2 16:22:24 2002 m> +++ misc.c Wed Jan 2 16:26:37 2002 m> @@ -26,7 +26,7 @@

m> void discon(int i) { m> close(infd[i]); m> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]); m> + if (filefd[i]!= NULL) fclose(filefd[i]); m> if (sending[i]>0) numofusers--; m> sending[i]=0; m> getreqs[i][0]=0; m> =====[ end of misc.c patch ]=====

m> =====[ begin cut here ]===== m> --- procscrpt.c.orig Wed Jan 2 16:27:33 2002 m> +++ procscrpt.c Wed Jan 2 16:51:47 2002 m> @@ -38,6 +38,12 @@ m> sending[i]=1; m> strcpy(getreqs[i],tpbuf+2); m> stripcrlf(getreqs[i]); m> + if(doesfileexist(getreqs[i]) == 0) { m> + strcpy(tpbuf, "Error: cannot locate "); m> + strncat(tpbuf, getreqs[i], 256); m> + strcat(tpbuf, " for reading!\n"); m> + logthis(3, tpbuf); m> + } m> fclose(filefd[i]); m> } else if (tpbuf[0]==0) { m> discon(i); m> =====[ end of procscrpt.c patch ]=====

m> +-------- -- - m> + credits m> +----- -- - m> Bug was found by methodic of AngryPacket security group. m> Patches by methodic.

m> +----------- -- - m> + disclaimer m> +-------- -- - m> The contents of this advisory are Copyright (c) 2002 AngryPacket m> Security, and may be distributed freely provided that no fee is charged m> for distribution and that proper credit is given. As such, AngryPacket m> Security group, collectively or individually, shall not be held liable m> or responsible for the misuse of any information contained herein.

m> - -- ------------------------- -- - [>>(] AngryPacket Security Advisory [>(] m> - -- ------------------------- -- -

-- ~/ZARAZA Вечная память святому Патрику! (Твен)