OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: qitest1 (qitest1_at_bespin.org)
Date: Thu Jul 18 2002 - 03:32:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                    QITEST1 SECURITY ADVISORY #005

    wwwoffle-2.7b and prior segfaults with negative Content-Length value

    PROGRAM DESCRIPTION
    WWWOFFLE, World Wide Web Offline Explorer, is a proxy HTTP/FTP
    server for computers with dial-up internet access.

    DETAILS
    When processing http requests, wwwoffled misinterprets the
    "Content-Length" header field: it fails to handle negative
    values properly. Consequently, if receiving a negative integer,
    program segfaults in memcpy(), because its size argument (size_t n)
    should be an unsigned integer.
    Remote overflow exploitation may be possible. Only child process
    dies on segfault, so this does not constitutes a denial of service
    vulnerability effectively.

    SOLUTION
    wwwoffle_2.7c fixes this flaw. Alternatively, you can use the
    following patch:

    ==8< wwwoffle-2.7b.patch
    - --- wwwoffle-2.7b-old/src/parse.c Sat Mar 23 15:28:36 2002
    +++ wwwoffle-2.7b/src/parse.c Fri Jul 12 16:52:46 2002
    -180,7 +180,7
      if(!strcmp("POST",(*request_head)->method) ||
         !strcmp("PUT",(*request_head)->method))
        {
    - - if(length==-1)
    + if(length < 0)
           {free(url);return(NULL);}
     
         *request_body=CreateBody(length);
    ==8<

      -- -------------------------------------------
      ---- q1-- ----------------------------------------
      -- -------------------------------------------
      Web: http://bespin.org/~qitest1
      GPG public key: http://bespin.org/~qitest1/qitest1.gpg.key
      - --------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9Nmt+IrsshIyVmPkRAiWmAJ4rpSSEazUu5eR/JDNZx5aN+2o1iACggnOZ
    tyltTOlBgy9tB3ZbQob0R7Q=
    =ZNsX
    -----END PGP SIGNATURE-----