|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Buffer overflow in the query cgi.
Apropos of Nothing (apropos
sover.net)Sat, 4 Jan 1997 23:29:00 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Thomas H. Ptacek: "Re: Buffer overflow in the query cgi."
- Previous message: Wietse Venema: "Re: serious security bug in wu-ftpd v2.4"
- Next in thread: Thomas H. Ptacek: "Re: Buffer overflow in the query cgi."
The cgi script 'query' has a buffer overflow problem. Let's look at the code:
typedef struct {
char name[128];
char val[128];
} entry;
...
main(int argc, char *argv[]) {
entry entries[10000];
register int x,m=0;
char *cl;
cl = getenv("QUERY_STRING");
for(x=0;cl[0] != '\0';x++) {
m=x;
getword(entries[x].val,cl,'&');
plustospace(entries[x].val);
unescape_url(entries[x].val);
getword(entries[x].name,entries[x].val,'=');
}
And recall what Aleph1 pointed out about 'getword':
void getword(char *word, char *line, char stop) {
int x = 0,y;
for(x=0;((line[x]) && (line[x] != stop));x++)
word[x] = line[x];
word[x] = '\0';
if(line[x]) ++x;
y=0;
while(line[y++] = line[x++]);
}
>As you can see it does no bounds checking.
OK, so looking up at query.c again we see that it copies cl (the query
string) into entries[x].val (a 128 byte char) with getword... and you know
what that means!
My buffer overflow skills aren't very good, so I'd like to see if anyone
else can exploit this. It should be pretty easy since all you have to do
is supply 128 bytes, then enough code to get up to the stack and overwrite
it, all in the query string.
apropos of nothing
- Next message: Thomas H. Ptacek: "Re: Buffer overflow in the query cgi."
- Previous message: Wietse Venema: "Re: serious security bug in wu-ftpd v2.4"
- Next in thread: Thomas H. Ptacek: "Re: Buffer overflow in the query cgi."