lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 28 Apr 2006 07:22:33 -0000
From: the_day@...o.or.id
To: bugtraq@...urityfocus.com
Subject: [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog()
 Format String Vulnerability


---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
---------------------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 28th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Sws Web Server
version     : < 0.1.7
URL         : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages. 
SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to cause the
program to execute arbitrary. 
The format string vulnerability and buffer overflow can be found in 
sws_web_server.c ayardosyasi.h file: 

------------------ ayardosyasi.h ------------------------

		...........
		char homedizini[50];            
		char defaultsayfa[50];          
		char hatasayfasi[100];
		...........
		void open_log_file (void)
		{
		....
		syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot 	opened. ");
		exit (1);
		...........
		
------------------ sws_web_server.c------------------------
		
		cp = buf + 5;
                ...........
                if (buf[strlen (buf) - 1] == '/')
    		{
		      strcpy (cp, defaultsayfa);
		      strcpy (home, homedizini);
		      strcat (home, cp);
                .............
		syslog(LOG_INFO, "Application finished.");
		  free(recvBuffer);
		  exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@...oogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


Powered by blists - more mailing lists