OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Fri Jan 04 2002 - 06:07:13 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello methodic,

    While testing a buffer overflow in you patch (tpbuf is only 210 bytes,
    but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found
    classical exploitable syslog() format string in this extremely secure
    product. Patch?

    - if (priority<=LOGLEVEL) syslog(tplev,buf);
    + if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);

    void logthis(int priority, char *buf) {

    /*
       Priority is 1-4, with 1 being the highest priority.
       1 - CRITICAL ERRORS
       2 - ERRORS
       3 - WARNINGS
       4 - DEBUG INFORMATION
    */

    #ifdef LOGLEVEL

      int tplev=0;

      if (priority==1) tplev=LOG_CRIT;
      if (priority==2) tplev=LOG_ERR;
      if (priority==3) tplev=LOG_WARNING;
      if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
                                             /var/messages by default, so... */

      if (priority<=LOGLEVEL) syslog(tplev,buf);

    #endif

    }

    --Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraqsecurityfocus.com:

    m> - -- ------------------------- -- -
    [>>(] AngryPacket Security Advisory [>(]
    m> - -- ------------------------- -- -

    m> +--------------------- -- -
    m> + advisory information
    m> +------------------ -- -
    m> author: methodic <methodicslartibartfast.angrypacket.com>
    m> release date: 01/03/2002
    m> homepage: http://sec.angrypacket.com
    m> advisory id: 0x0000

    m> +-------------------- -- -
    m> + product information
    m> +----------------- -- -
    m> software: Anti-Web httpd (awhttpd)
    m> author: HardCore Software
    m> homepage: http://hardcoresoftware.cjb.net/awhttpd/
    m> description:
    m> "Anti-Web httpd is a single-process Web server that relies on its
    m> inherent simplicity to be robust, and secure."

    m> +---------------------- -- -
    m> + vulnerability details
    m> +------------------- -- -
    m> problem: local denial-of-service
    m> affected: awhttpd 2.2 and perhaps earlier versions
    m> explaination: any local user with write access to awhttpd's html
    m> directory can crash the daemon by crafting a special
    m> script which is parsed by awhttpd's scripting engine
    m> (which is enabled by default). the offending code
    m> exists on line 29 of misc.c:

    m> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

    m> a sample awhttpd script looks like this:
    m> # test.cgi
    m> --AWHTTPD SCRIPT--
    m> echo "this is a test"
    m> F:test.html

    m> the problem is if test.html doesn't exist in the html
    m> directory, then awhttpd will crash on the fclose();
    m> status: vendor was notified
    m> exploit: see above
    m> fix: apply the patches below or disable the scripting engine by
    m> editing config.h in the root source directory of awhttpd.

    m> =====[ begin cut here ]=====
    m> --- misc.c.orig Wed Jan 2 16:22:24 2002
    m> +++ misc.c Wed Jan 2 16:26:37 2002
    m> -26,7 +26,7
     
    m> void discon(int i) {
    m> close(infd[i]);
    m> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
    m> + if (filefd[i]!= NULL) fclose(filefd[i]);
    m> if (sending[i]>0) numofusers--;
    m> sending[i]=0;
    m> getreqs[i][0]=0;
    m> =====[ end of misc.c patch ]=====

    m> =====[ begin cut here ]=====
    m> --- procscrpt.c.orig Wed Jan 2 16:27:33 2002
    m> +++ procscrpt.c Wed Jan 2 16:51:47 2002
    m> -38,6 +38,12
    m> sending[i]=1;
    m> strcpy(getreqs[i],tpbuf+2);
    m> stripcrlf(getreqs[i]);
    m> + if(doesfileexist(getreqs[i]) == 0) {
    m> + strcpy(tpbuf, "Error: cannot locate ");
    m> + strncat(tpbuf, getreqs[i], 256);
    m> + strcat(tpbuf, " for reading!\n");
    m> + logthis(3, tpbuf);
    m> + }
    m> fclose(filefd[i]);
    m> } else if (tpbuf[0]==0) {
    m> discon(i);
    m> =====[ end of procscrpt.c patch ]=====

    m> +-------- -- -
    m> + credits
    m> +----- -- -
    m> Bug was found by methodic of AngryPacket security group.
    m> Patches by methodic.

    m> +----------- -- -
    m> + disclaimer
    m> +-------- -- -
    m> The contents of this advisory are Copyright (c) 2002 AngryPacket
    m> Security, and may be distributed freely provided that no fee is charged
    m> for distribution and that proper credit is given. As such, AngryPacket
    m> Security group, collectively or individually, shall not be held liable
    m> or responsible for the misuse of any information contained herein.

    m> - -- ------------------------- -- -
    [>>(] AngryPacket Security Advisory [>(]
    m> - -- ------------------------- -- - 

    -- 
~/ZARAZA
Вечная память святому Патрику! (Твен)