BOOZT! is a banner management software for linux servers. It has a remote
administration system based on web. I played with version 0.9.8alpha.

Here is a reproduction of the bug:

        http://127.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1

Fill the "Name Field" with enough A's (770 was be fine for me). Press "Create
New Banner". It should show this:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable
to complete your request.

Let's see what happened in error_log:

[Tue Feb 5 17:13:52 2002] [error] [client 127.0.0.1] Premature end of script
headers: /usr/local/apache/cgi-bin/boozt/admin/index.cgi

Now see what the code for the AdministrationBanners function
(src/admin/banners.c) looks like:

         char name[255]="";

         [...]

        if ((pomus=(char *)GetFromCgi("name"))==NULL) strcpy(name,"");
        else strcpy(name,pomus);

There is no boundary checking in GetFromCgi:

        #define GetFromCgi(name) cgiParam(name)

        const char *cgiParam(const char *name)
        {
         return cgiPosParam((CgiPos*)listGetByName(name));
        }

        const char *cgiPosParam(CgiPos *where)
        {
         CgiElement *w=(CgiElement*)where;
         DefCheck(NULL);

         [ ... code to walk over the linked list ... ]
        }

This way we can write A's (or shellcode) beyond the boundaries of the "name"
variable, making the cgi crash (or give us a shell with httpd privileges).

                                                                              
                                        Rafael San Miguel
Carrasco
                                 
rsanmcaralum.uax.es

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]