| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Jun 2005 19:03:50 +0200
From: Raphaël Rigo ML <ml@...light-hall.net>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in Pico Server (pServ) v3.3
Multiple vulnerabilities in Pico Server (pServ) v3.3
discovered by Raphaël Rigo
Product: Pico Server (pServ)
Affected Version: 3.3 (verified), <=3.3 probably too
Not affected Version: 3.4
OS affected: all
Risk: critical
Remote Exploit: yes
URL: http://pserv.sourceforge.net/
Overview
========
Pico Server is a small web server. It is meant to be portable and configurable.
* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyser)
* forking or single-connection at choice
Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behaviour, the performance and the feature set so
to be able to fit better the the requisites.
Vulnerabilities
===============
1) Directory traversal
A bug in the directory parsing code allows the attacker to access any
directory the server has the right to access.
Details :
pServ computes the depth of the directory the user tries to access in the
variable named depthCount. This counts is decreased when a /../ is
encountered, unfortunately, it is also increased when /./ is
encountered, allowing the attacker to use a /./ for each /../ to make
sure depthCount is not negative.
Risk : HIGH
The attacker may gain important information about the system that could
lead to other attacks.
Proof of concept :
access : http://www.example.com/./../
Workaround :
There is no workaround for this vulnerability.
Solution :
Update to v3.4
-----------------------------------------------------------------------
2) Remote command execution
The directory traversal vulnerability described above also enables
remote command execution. This may help an attacker to compromise the
server.
Details :
pServ considers every request beginning with /cgi-bin/ as a script
execution.
Risk : CRITICAL
The attacker may use this vulnerability to destroy data or for other
attacks (i.e. use wget to download root exploits).
Proof of concept :
access : http://www.example.com/cgi-bin/./.././../usr/bin/ls
Workaround :
Disable cgi-bin support at compile time.
Solution :
Update to v3.4
-----------------------------------------------------------------------
3) Multiple heap overflows in cgi execution
The lack of bounds checking for cgi arguments allows an attacker to
overflow the allocated memory, possibly allowing for remote code
execution.
Details :
Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux)
but the attacker is only limited by the maximum request length (2048).
The malloc'ed buffer can therefore be overflowed.
Risk : HIGH
Successful exploitation can lead to arbitrary code execution.
Workaround :
Disable cgi-bin support at compile time.
Solution :
Update to v3.4
-----------------------------------------------------------------------
Timeline
========
2005-05-18 Discovery
2005-05-19 First attempt to contact developer
2005-05-21 Second attempt
2005-05-22 Developer reply
2005-06-11 Fixed version 3.4 released and advisory published
Powered by blists - more mailing lists