lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002901c39cc6$acf0dd70$af00a8c0@XPlappytoppy>
From: full-disclosure at texonet.com (full-disclosure@...onet.com)
Subject: Remote overflow in thttpd

-----------------------------------------------------------------------
Texonet Security Advisory 20030908
-----------------------------------------------------------------------
Advisory ID    : TEXONET-20030908 
Authors        : Joel Soderberg and Christer Oberg
Issue date     : Monday, September 8, 2003
Publish date   : Monday, October 27, 2003
Application    : thttpd
Version(s)     : 2.21 - 2.23b1
Platforms      : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF
Availability   : http://www.texonet.com/advisories/TEXONET-20030908.txt
-----------------------------------------------------------------------


Problem:
-----------------------------------------------------------------------
Remote overflow allows attacker to partially overwrite ebp register and
execute arbitrary code.


Description:
-----------------------------------------------------------------------
The problem is found in libhttpd.c in the function defang()

static void
defang( char* str, char* dfstr, int dfsize )
    {
    char* cp1;
    char* cp2;

    for ( cp1 = str, cp2 = dfstr;
   *cp1 != '\0' && cp2 - dfstr < dfsize - 1;
   ++cp1, ++cp2 )
 {
 switch ( *cp1 )
     {
     case '<':
     *cp2++ = '&';
     *cp2++ = 'l';
     *cp2++ = 't';
     *cp2 = ';';
     break;
     case '>':
     *cp2++ = '&';
     *cp2++ = 'g';
     *cp2++ = 't';
     *cp2 = ';';
     break;
     default:
     *cp2 = *cp1;
     break;
     }
 }
    *cp2 = '\0';
    }

So when '<' or '>' are found in the input we "pay for 1 and get 3 for 
free", this allows us overwrite bits of ebp and indirectly control eip 
(assuming its been compiled with gcc < 3.0)  



Workaround:
-----------------------------------------------------------------------
Upgrade to version 2.24


Disclosure Timeline:
-----------------------------------------------------------------------
09/08/2003: Vendor notified by e-mail
09/12/2003: Vendor replies with working fix
10/27/2003: Public release


About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration 
testing / security assessments, research and development.


Contacting Texonet:
-----------------------------------------------------------------------
E-mail:    advisories(-at-)texonet.com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031027/26ad9489/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ