[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1088722100.40e494b47971e@webmail.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: pavuk buffer overflow
I have found a buffer overflow in pavuk 0.9pl28, 0.9pl27 and possibly
also in other versions. It has the identifier CAN-2004-0456.
When pavuk sends a request to a web server and the server sends back
the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP
Location header in an unsafe manner. This leads to a stack-based
buffer overflow with control over EIP.
I have attached a patch (against 0.9pl28) for this bug and a PHP
script that exhibits the problem.
Versions of pavuk with this problem are distributed by Debian
GNU/Linux (non-US), SUSE Linux and Gentoo Linux, as well as in
FreeBSD's and OpenBSD's port collections.
I finished auditing pavuk and sent off information about this
to Debian, SUSE, Gentoo and upstream on the 14th of June. SUSE
accidentally released their update on the 23rd... Gentoo released
their advisory (please credit me) on the 30th, which was the
agreed-upon release date.
// Ulf Harnhammar for the
Debian Security Audit Project
http://www.debian.org/security/audit/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: index.php
Type: application/x-httpd-php
Size: 112 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/index.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pavuk.patch
Type: text/x-patch
Size: 450 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/pavuk.bin
Powered by blists - more mailing lists