lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041030143100.GA1451@vapid.dhs.org>
From: lwc at vapid.ath.cx (Larry Cashdollar)
Subject: Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?

Read the first post by Luiz.   This is only applicable if your running
apache chrooted and htpasswd is part of that chrooted environment.

On Fri, Oct 29, 2004 at 11:53:16PM +0200, Andr? Malo wrote:
> * Larry Cashdollar <lwc@...id.ath.cx> wrote:
> 
> > This was posted on the full-disclosure list sept 16 2004 by
> > Luiz Fernando.
> > 
> > http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html
> > 
> > The nessus check for this vulnerability recommends upgrading to
> > Apache version 1.3.32:
> > 
> > http://cgi.nessus.org/plugins/dump.php3?id=14771
> > 
> > But in Apache 1.3.33:
> > 
> > lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
> >     strcpy(record, user);
> >         strcpy(pwfilename, argv[i]);
> >     strcpy(user, argv[i + 1]);
> >         strcpy(password, argv[i + 2]);
> >             strcpy(scratch, line);
> > 
> > It is still vulnerable.
> 
> If you start htpasswd from a shell and you exploit some kind of buffer
> overflow, you get ... a shell?. Wow!
> 
> Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and
> commonsense tell, that the program is just not designed for such an intention.
> 
> Or in other words, take any program that's not designed for being run setuid
> and you'll find a "vulnerability" (e.g. with malloc debug environment
> variables or the like).
> 
> Sorry, I can't see a security vulnerability here.
> 
> nd
> -- 
> > [...] wei? jemand zuf?llig, was der Tag DIV ausgeschrieben bedeutet?
> DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
> so reinpacken und dann absolut positionieren ...
>                            -- Florian Hartig und Lars Kasper in dciwam


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ