Buffer overflow in awhttpd (Re: Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS))

Hello 3APA3A,

OK, format string issue exists only in proposed patch… What about this
issue:

There are (at least) 2 buffer overflows with heap corruption, tpbuf can
be up to 210 characters while getreqs[i] is malloc(100). Of cause,
target file should exist… tpbuf is base dir concatenated with 100
bytes of user's request. It does strips all "…" and "/.", but what
about "///////////" ?

simply try GET '/'x100 in few concurrent connections.

/* ---- So? Does all this mess find us the right file?
BTW - Check to make sure it isn't a directory… */
if ((doesfileexist(tpbuf)==1) && (isadir(tpbuf)==0)) {
strcpy(getreqs[i],tpbuf); return 0; }

…

/* ---- No? How 'bout this? */
if (tpbuf[strlen(tpbuf)-1]!=SLASH) strcat(tpbuf,"/");
strcat(tpbuf,INDEXFILE);
if (doesfileexist(tpbuf)==1) {
strcpy(getreqs[i],tpbuf); return 0; }

–Friday, January 04, 2002, 3:07:13 PM, you wrote to [email protected]:

3> Hello methodic,

3> While testing a buffer overflow in you patch (tpbuf is only 210 bytes,
3> but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found
3> classical exploitable syslog() format string in this extremely secure
3> product. Patch?

3> - if (priority<=LOGLEVEL) syslog(tplev,buf);
3> + if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);

3> void logthis(int priority, char *buf) {

3> /*
3> Priority is 1-4, with 1 being the highest priority.
3> 1 - CRITICAL ERRORS
3> 2 - ERRORS
3> 3 - WARNINGS
3> 4 - DEBUG INFORMATION
3> */

3> #ifdef LOGLEVEL

3> int tplev=0;

3> if (priority==1) tplev=LOG_CRIT;
3> if (priority==2) tplev=LOG_ERR;
3> if (priority==3) tplev=LOG_WARNING;
3> if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
3> /var/messages by default, so… */

3> if (priority<=LOGLEVEL) syslog(tplev,buf);

3> #endif

3> }

3> --Friday, January 04, 2002, 2:13:48 AM, you wrote to [email protected]:

m>> - – ------------------------- – -
[>>>(] AngryPacket Security Advisory [>(]
m>> - – ------------------------- – -

m>> ±-------------------- – -
m>> + advisory information
m>> ±----------------- – -
m>> author: methodic <[email protected]>
m>> release date: 01/03/2002
m>> homepage: http://sec.angrypacket.com
m>> advisory id: 0x0000

m>> ±------------------- – -
m>> + product information
m>> ±---------------- – -
m>> software: Anti-Web httpd (awhttpd)
m>> author: HardCore Software
m>> homepage: http://hardcoresoftware.cjb.net/awhttpd/
m>> description:
m>> "Anti-Web httpd is a single-process Web server that relies on its
m>> inherent simplicity to be robust, and secure."

m>> ±--------------------- – -
m>> + vulnerability details
m>> ±------------------ – -
m>> problem: local denial-of-service
m>> affected: awhttpd 2.2 and perhaps earlier versions
m>> explaination: any local user with write access to awhttpd's html
m>> directory can crash the daemon by crafting a special
m>> script which is parsed by awhttpd's scripting engine
m>> (which is enabled by default). the offending code
m>> exists on line 29 of misc.c:

m>> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m>> a sample awhttpd script looks like this:
m>> # test.cgi
m>> --AWHTTPD SCRIPT–
m>> echo "this is a test"
m>> F:test.html

m>> the problem is if test.html doesn't exist in the html
m>> directory, then awhttpd will crash on the fclose();
m>> status: vendor was notified
m>> exploit: see above
m>> fix: apply the patches below or disable the scripting engine by
m>> editing config.h in the root source directory of awhttpd.

m>> =====[ begin cut here ]=====
m>> — misc.c.orig Wed Jan 2 16:22:24 2002
m>> +++ misc.c Wed Jan 2 16:26:37 2002
m>> @@ -26,7 +26,7 @@

m>> void discon(int i) {
m>> close(infd[i]);
m>> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m>> + if (filefd[i]!= NULL) fclose(filefd[i]);
m>> if (sending[i]>0) numofusers–;
m>> sending[i]=0;
m>> getreqs[i][0]=0;
m>> =====[ end of misc.c patch ]=====

m>> =====[ begin cut here ]=====
m>> — procscrpt.c.orig Wed Jan 2 16:27:33 2002
m>> +++ procscrpt.c Wed Jan 2 16:51:47 2002
m>> @@ -38,6 +38,12 @@
m>> sending[i]=1;
m>> strcpy(getreqs[i],tpbuf+2);
m>> stripcrlf(getreqs[i]);
m>> + if(doesfileexist(getreqs[i]) == 0) {
m>> + strcpy(tpbuf, "Error: cannot locate ");
m>> + strncat(tpbuf, getreqs[i], 256);
m>> + strcat(tpbuf, " for reading!\n");
m>> + logthis(3, tpbuf);
m>> + }
m>> fclose(filefd[i]);
m>> } else if (tpbuf[0]==0) {
m>> discon(i);
m>> =====[ end of procscrpt.c patch ]=====

m>> ±------- – -
m>> + credits
m>> ±---- – -
m>> Bug was found by methodic of AngryPacket security group.
m>> Patches by methodic.

m>> ±---------- – -
m>> + disclaimer
m>> ±------- – -
m>> The contents of this advisory are Copyright (c) 2002 AngryPacket
m>> Security, and may be distributed freely provided that no fee is charged
m>> for distribution and that proper credit is given. As such, AngryPacket
m>> Security group, collectively or individually, shall not be held liable
m>> or responsible for the misuse of any information contained herein.

m>> - – ------------------------- – -
[>>>(] AngryPacket Security Advisory [>(]
m>> - – ------------------------- – -

–
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)