OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Security bugs in nokia voyager, BO dev.
From: gregory duchemin (c3rb3rHOTMAIL.COM)
Date: Fri Sep 29 2000 - 11:13:05 CDT


Voyager works with a multipurposes cgi called html_page that make a call to
html_gen with a filename as a template script. Html_gen produce the final
html page returned by apache.
if u test this kind of url:
http://your-nokia/http://10.1.152.2/cgi-bin/html_page?TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
u 'll get a segfault error page.
if u test it with a command line, u ll reproduce the same signal.
Obviously, html_gen is unable to manage properly a big amount a data in some
of its parameters. IH is one of the html_page's paramaters that does the
job.

with telnet, try (under tcsh)

#setenv QUERY_STRING
"TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#/web/cgi-bin/html_page

Content-type: text/html

<br>Html_gen exited because of signal: Segmentation fault<br>
nokia1[admin]#

i don't exactly know the format of arguments html_page feeds to html_gen and
so how to reproduce signal SIGSEG directly with html_gen.
( how can i find it with gdb ? )

i ll try a precompiled freebsd compiler to wrote some tests program on my
ipso 3.2.1
help would be appreciate.

Note:

because u already must be administrator to access the voyager setup,
security impact is relatively low considering that default configuration
wasn't poorly modified.
because nokia ipso isn't dedicated for a multi-user work usage and noone
else root should be able to login, impact for local rooting is low too
considering the same things that above.

Gregory Duchemin

>It's supposed to be a FreeBSD branch. It's pretty different from
>a regular install, from what I recall. Where's the overflow?
>
> BB
>
>gregory duchemin wrote:
> >
> > hi,
> >
> > is there someone here that exactly know from wich *bsd is nokia ipso
> > originated from ?
> > I found last day an overflow but naturally no source, no compiler, just
>a
> > gdb...has one of u successfully tried to install and use a pre-compiled
> > compiler on this kind of system ?
> > thanx for your help
> > Gregory
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
> > Share information about yourself, create your own public profile at
> > http://profiles.msn.com.

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.