lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2009 11:16:50 +0200
From: Patroklos Argyroudis <argp@...sus-labs.com>
To: bugtraq@...urityfocus.com
Subject: CVE-2009-3586: CoreHTTP web server off-by-one buffer overflow
 vulnerability

census ID:          census-2009-0003
URL:                http://census-labs.com/news/2009/12/02/corehttp-web-server/
CVE ID:             CVE-2009-3586
Affected Products:  CoreHTTP web server versions <= 0.5.3.1.
Class:              Improper Input Validation (CWE-20), Failure to Constrain
                    Operations within the Bounds of a Memory Buffer (CWE-119)
Remote:             Yes
Discovered by:      Patroklos Argyroudis

We have discovered a remotely exploitable "improper input validation"
vulnerability in the CoreHTTP web server that leads to an off-by-one
stack buffer overflow. The vulnerability can lead to denial of service
attacks against the web server and potentially to the remote execution
of arbitrary code with the privileges of the user running the server.

Details

CoreHTTP (http://corehttp.sourceforge.net/) is a minimalist web server
focusing on speed and size. More information about its features can be found
at http://corehttp.sourceforge.net/man.html.

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient
input validation method for handling HTTP requests with invalid method
names and URIs. Specifically, the vulnerability is an off-by-one buffer
overflow in the sscanf() call at file src/http.c line numbers 45 and 46:

45:    sscanf(parentsprock->buffer,
46:        "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);

The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
without NULL terminating them.

Note that this is not vulnerability CVE-2007-4060 in which the same
sscanf() call contained no bounds check at all.

This vulnerability can lead to denial of service attacks against the
CoreHTTP web server and potentially to the remote execution of
arbitrary code with the privileges of the user running the server. We
have developed a proof-of-concept exploit to demonstrate the
vulnerability:

http://census-labs.com/media/corex.txt

For the time being, one may use the following workaround to address this
issue, until an official fix is released by the author:

http://census-labs.com/media/corehttp-0.5.3.1-patch.txt

-- 
Patroklos Argyroudis
http://www.census-labs.com/

Powered by blists - more mailing lists