[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Dear Slotto Corleone,
--Friday, April 30, 2004, 3:43:15 AM, you wrote to full-disclosure@...ts.netsys.com:
SC> - sphiro/libhttp/http_socks.c
SC> int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
SC> ...
SC> char buffer[MAX_READ +1];
SC> char auth_buff[MAX_READ+1];
SC> char filename[128];
SC> ...
SC> ...
<skipped>
SC> sprintf(filename,"%s%s",config->webroot,request); <-- oops
According to information you provided this is stack overflow, not heap.
And in this very case it looks not to be exploitable, because behind
filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
I may be wrong, full annalists of source code required to make
conclusion.
--
~/ZARAZA
???? ???? ?? ???????? ?????-?????? ??????, ?? ??? ????? ?? ??????? ??? ?????????. (????)
Powered by blists - more mailing lists