Buffer overflow in awhttpd (Re: Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS))

2002-01-04T00:00:00
ID SECURITYVULNS:DOC:2329
Type securityvulns
Reporter Securityvulns
Modified 2002-01-04T00:00:00

Description

Hello 3APA3A,

OK, format string issue exists only in proposed patch... What about this issue:

There are (at least) 2 buffer overflows with heap corruption, tpbuf can be up to 210 characters while getreqs[i] is malloc(100). Of cause, target file should exist... tpbuf is base dir concatenated with 100 bytes of user's request. It does strips all ".." and "/.", but what about "///////////" ?

simply try GET '/'x100 in few concurrent connections.

/ ---- So? Does all this mess find us the right file? BTW - Check to make sure it isn't a directory... / if ((doesfileexist(tpbuf)==1) && (isadir(tpbuf)==0)) { strcpy(getreqs[i],tpbuf); return 0; }

...

/ ---- No? How 'bout this? / if (tpbuf[strlen(tpbuf)-1]!=SLASH) strcat(tpbuf,"/"); strcat(tpbuf,INDEXFILE); if (doesfileexist(tpbuf)==1) { strcpy(getreqs[i],tpbuf); return 0; }

--Friday, January 04, 2002, 3:07:13 PM, you wrote to methodic@slartibartfast.angrypacket.com:

3> Hello methodic,

3> While testing a buffer overflow in you patch (tpbuf is only 210 bytes, 3> but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found 3> classical exploitable syslog() format string in this extremely secure 3> product. Patch?

3> - if (priority<=LOGLEVEL) syslog(tplev,buf); 3> + if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);

3> void logthis(int priority, char *buf) {

3> / 3> Priority is 1-4, with 1 being the highest priority. 3> 1 - CRITICAL ERRORS 3> 2 - ERRORS 3> 3 - WARNINGS 3> 4 - DEBUG INFORMATION 3> /

3> #ifdef LOGLEVEL

3> int tplev=0;

3> if (priority==1) tplev=LOG_CRIT; 3> if (priority==2) tplev=LOG_ERR; 3> if (priority==3) tplev=LOG_WARNING; 3> if (priority==4) tplev=LOG_WARNING; / LOG_DEBUG Doesn't show up in 3> /var/messages by default, so... /

3> if (priority<=LOGLEVEL) syslog(tplev,buf);

3> #endif

3> }

3> --Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraq@securityfocus.com:

m>> - -- ------------------------- -- - [>>>(] AngryPacket Security Advisory [>(] m>> - -- ------------------------- -- -

m>> +--------------------- -- - m>> + advisory information m>> +------------------ -- - m>> author: methodic <methodic@slartibartfast.angrypacket.com> m>> release date: 01/03/2002 m>> homepage: http://sec.angrypacket.com m>> advisory id: 0x0000

m>> +-------------------- -- - m>> + product information m>> +----------------- -- - m>> software: Anti-Web httpd (awhttpd) m>> author: HardCore Software m>> homepage: http://hardcoresoftware.cjb.net/awhttpd/ m>> description: m>> "Anti-Web httpd is a single-process Web server that relies on its m>> inherent simplicity to be robust, and secure."

m>> +---------------------- -- - m>> + vulnerability details m>> +------------------- -- - m>> problem: local denial-of-service m>> affected: awhttpd 2.2 and perhaps earlier versions m>> explaination: any local user with write access to awhttpd's html m>> directory can crash the daemon by crafting a special m>> script which is parsed by awhttpd's scripting engine m>> (which is enabled by default). the offending code m>> exists on line 29 of misc.c:

m>> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m>> a sample awhttpd script looks like this: m>> # test.cgi m>> --AWHTTPD SCRIPT-- m>> echo "this is a test" m>> F:test.html

m>> the problem is if test.html doesn't exist in the html m>> directory, then awhttpd will crash on the fclose(); m>> status: vendor was notified m>> exploit: see above m>> fix: apply the patches below or disable the scripting engine by m>> editing config.h in the root source directory of awhttpd.

m>> =====[ begin cut here ]===== m>> --- misc.c.orig Wed Jan 2 16:22:24 2002 m>> +++ misc.c Wed Jan 2 16:26:37 2002 m>> @@ -26,7 +26,7 @@

m>> void discon(int i) { m>> close(infd[i]); m>> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]); m>> + if (filefd[i]!= NULL) fclose(filefd[i]); m>> if (sending[i]>0) numofusers--; m>> sending[i]=0; m>> getreqs[i][0]=0; m>> =====[ end of misc.c patch ]=====

m>> =====[ begin cut here ]===== m>> --- procscrpt.c.orig Wed Jan 2 16:27:33 2002 m>> +++ procscrpt.c Wed Jan 2 16:51:47 2002 m>> @@ -38,6 +38,12 @@ m>> sending[i]=1; m>> strcpy(getreqs[i],tpbuf+2); m>> stripcrlf(getreqs[i]); m>> + if(doesfileexist(getreqs[i]) == 0) { m>> + strcpy(tpbuf, "Error: cannot locate "); m>> + strncat(tpbuf, getreqs[i], 256); m>> + strcat(tpbuf, " for reading!\n"); m>> + logthis(3, tpbuf); m>> + } m>> fclose(filefd[i]); m>> } else if (tpbuf[0]==0) { m>> discon(i); m>> =====[ end of procscrpt.c patch ]=====

m>> +-------- -- - m>> + credits m>> +----- -- - m>> Bug was found by methodic of AngryPacket security group. m>> Patches by methodic.

m>> +----------- -- - m>> + disclaimer m>> +-------- -- - m>> The contents of this advisory are Copyright (c) 2002 AngryPacket m>> Security, and may be distributed freely provided that no fee is charged m>> for distribution and that proper credit is given. As such, AngryPacket m>> Security group, collectively or individually, shall not be held liable m>> or responsible for the misuse of any information contained herein.

m>> - -- ------------------------- -- - [>>>(] AngryPacket Security Advisory [>(] m>> - -- ------------------------- -- -

-- ~/ZARAZA Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)