lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42AB1976.1020709@twilight-hall.net>
Date: Sat, 11 Jun 2005 19:03:50 +0200
From: Raphaël Rigo ML <ml@...light-hall.net>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in Pico Server (pServ) v3.3


                 Multiple vulnerabilities in Pico Server (pServ) v3.3

                                 discovered by Raphaël Rigo

Product: Pico Server (pServ)
Affected Version: 3.3 (verified), <=3.3 probably too
Not affected Version: 3.4
OS affected: all
Risk: critical
Remote Exploit: yes
URL: http://pserv.sourceforge.net/

Overview
========

Pico Server is a small web server. It is meant to be portable and configurable.
     * small, portable
     * fast
     * CGI-BIN support
     * auto-indexing of directories
     * access and error logging (see p-reporter for an analyser)
     * forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behaviour, the performance and the feature set so
to be able to fit better the the requisites.

Vulnerabilities
===============

         1) Directory traversal

         A bug in the directory parsing code allows the attacker to access any
         directory the server has the right to access.

         Details :
         pServ computes the depth of the directory the user tries to access in the
         variable named depthCount. This counts is decreased when a /../ is
         encountered, unfortunately, it is also increased when /./ is
         encountered, allowing the attacker to use a /./ for each /../ to make
         sure depthCount is not negative.

         Risk : HIGH
         The attacker may gain important information about the system that could
         lead to other attacks.

         Proof of concept :
         access : http://www.example.com/./../

         Workaround :
         There is no workaround for this vulnerability.

         Solution :
         Update to v3.4

         -----------------------------------------------------------------------

         2) Remote command execution

         The directory traversal vulnerability described above also enables
         remote command execution. This may help an attacker to compromise the
         server.

         Details :
         pServ considers every request beginning with /cgi-bin/ as a script
         execution.

         Risk : CRITICAL
         The attacker may use this vulnerability to destroy data or for other
         attacks (i.e. use wget to download root exploits).

         Proof of concept :
         access : http://www.example.com/cgi-bin/./.././../usr/bin/ls

         Workaround :
         Disable cgi-bin support at compile time.

         Solution :
         Update to v3.4

         -----------------------------------------------------------------------

         3) Multiple heap overflows in cgi execution

         The lack of bounds checking for cgi arguments allows an attacker to
         overflow the allocated memory, possibly allowing for remote code
         execution.

         Details :
         Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux)
         but the attacker is only limited by the maximum request length (2048).
         The malloc'ed buffer can therefore be overflowed.

         Risk : HIGH
         Successful exploitation can lead to arbitrary code execution.

         Workaround :
         Disable cgi-bin support at compile time.

         Solution :
         Update to v3.4

         -----------------------------------------------------------------------


Timeline
========
2005-05-18        Discovery
2005-05-19        First attempt to contact developer
2005-05-21        Second attempt
2005-05-22        Developer reply
2005-06-11        Fixed version 3.4 released and advisory published


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ