[<prev] [next>] [day] [month] [year] [list]
Message-ID: <007a01c39cc9$9fb589a0$af00a8c0@XPlappytoppy>
Date: Mon, 27 Oct 2003 21:33:47 +0100
From: "advisories(-at-)texonet.com" <advisories@...onet.com>
To: <bugtraq@...urityfocus.com>
Subject: Remote overflow in thttpd
-----------------------------------------------------------------------
Texonet Security Advisory 20030908
-----------------------------------------------------------------------
Advisory ID : TEXONET-20030908
Authors : Joel Soderberg and Christer Oberg
Issue date : Monday, September 8, 2003
Publish date : Monday, October 27, 2003
Application : thttpd
Version(s) : 2.21 - 2.23b1
Platforms : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF
Availability : http://www.texonet.com/advisories/TEXONET-20030908.txt
-----------------------------------------------------------------------
Problem:
-----------------------------------------------------------------------
Remote overflow allows attacker to partially overwrite ebp register and
execute arbitrary code.
Description:
-----------------------------------------------------------------------
The problem is found in libhttpd.c in the function defang()
static void
defang( char* str, char* dfstr, int dfsize )
{
char* cp1;
char* cp2;
for ( cp1 = str, cp2 = dfstr;
*cp1 != '\0' && cp2 - dfstr < dfsize - 1;
++cp1, ++cp2 )
{
switch ( *cp1 )
{
case '<':
*cp2++ = '&';
*cp2++ = 'l';
*cp2++ = 't';
*cp2 = ';';
break;
case '>':
*cp2++ = '&';
*cp2++ = 'g';
*cp2++ = 't';
*cp2 = ';';
break;
default:
*cp2 = *cp1;
break;
}
}
*cp2 = '\0';
}
So when '<' or '>' are found in the input we "pay for 1 and get 3 for
free", this allows us overwrite bits of ebp and indirectly control eip
(assuming its been compiled with gcc < 3.0)
Workaround:
-----------------------------------------------------------------------
Upgrade to version 2.24
Disclosure Timeline:
-----------------------------------------------------------------------
09/08/2003: Vendor notified by e-mail
09/12/2003: Vendor replies with working fix
10/27/2003: Public release
About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.
Contacting Texonet:
-----------------------------------------------------------------------
E-mail: advisories(-at-)texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
Powered by blists - more mailing lists