Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12461
HistoryApr 28, 2006 - 12:00 a.m.

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

2006-04-2800:00:00
vulners.com
8
JSON

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

Author : Dedi Dwianto
Date : April, 28th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High

Affected software description:



Application : Sws Web Server
version     : < 0.1.7
URL         : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages. 
SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to cause the
program to execute arbitrary. 
The format string vulnerability and buffer overflow can be found in 
sws_web_server.c ayardosyasi.h file: 

------------------ ayardosyasi.h ------------------------

                ...........
                char homedizini[50];            
                char defaultsayfa[50];          
                char hatasayfasi[100];
                ...........
                void open_log_file (void)
                {
                ....
                syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot     opened. ");
                exit (1);
                ...........
                
------------------ sws_web_server.c------------------------
                
                cp = buf + 5;
                ...........
                if (buf[strlen (buf) - 1] == '/')
                {
                      strcpy (cp, defaultsayfa);
                      strcpy (home, homedizini);
                      strcat (home, cp);
                .............
                syslog(LOG_INFO, "Application finished.");
                  free(recvBuffer);
                  exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ [email protected]
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
JSON