Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS)

Hello methodic,

While testing a buffer overflow in you patch (tpbuf is only 210 bytes,
but you're lucky - getreqs[i] is only 100 bytes long :))) ) I've found
classical exploitable syslog() format string in this extremely secure
product. Patch?

• if (priority<=LOGLEVEL) syslog(tplev,buf);

• if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);

void logthis(int priority, char *buf) {

/*
Priority is 1-4, with 1 being the highest priority.
1 - CRITICAL ERRORS
2 - ERRORS
3 - WARNINGS
4 - DEBUG INFORMATION
*/

#ifdef LOGLEVEL

int tplev=0;

if (priority==1) tplev=LOG_CRIT;
if (priority==2) tplev=LOG_ERR;
if (priority==3) tplev=LOG_WARNING;
if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
/var/messages by default, so… */

if (priority<=LOGLEVEL) syslog(tplev,buf);

#endif

}

–Friday, January 04, 2002, 2:13:48 AM, you wrote to [email protected]:

m> - – ------------------------- – -
[>>(] AngryPacket Security Advisory [>(]
m> - – ------------------------- – -

m> ±-------------------- – -
m> + advisory information
m> ±----------------- – -
m> author: methodic <[email protected]>
m> release date: 01/03/2002
m> homepage: http://sec.angrypacket.com
m> advisory id: 0x0000

m> ±------------------- – -
m> + product information
m> ±---------------- – -
m> software: Anti-Web httpd (awhttpd)
m> author: HardCore Software
m> homepage: http://hardcoresoftware.cjb.net/awhttpd/
m> description:
m> "Anti-Web httpd is a single-process Web server that relies on its
m> inherent simplicity to be robust, and secure."

m> ±--------------------- – -
m> + vulnerability details
m> ±------------------ – -
m> problem: local denial-of-service
m> affected: awhttpd 2.2 and perhaps earlier versions
m> explaination: any local user with write access to awhttpd's html
m> directory can crash the daemon by crafting a special
m> script which is parsed by awhttpd's scripting engine
m> (which is enabled by default). the offending code
m> exists on line 29 of misc.c:

m> if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m> a sample awhttpd script looks like this:
m> # test.cgi
m> --AWHTTPD SCRIPT–
m> echo "this is a test"
m> F:test.html

m> the problem is if test.html doesn't exist in the html
m> directory, then awhttpd will crash on the fclose();
m> status: vendor was notified
m> exploit: see above
m> fix: apply the patches below or disable the scripting engine by
m> editing config.h in the root source directory of awhttpd.

m> =====[ begin cut here ]=====
m> — misc.c.orig Wed Jan 2 16:22:24 2002
m> +++ misc.c Wed Jan 2 16:26:37 2002
m> @@ -26,7 +26,7 @@

m> void discon(int i) {
m> close(infd[i]);
m> - if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m> + if (filefd[i]!= NULL) fclose(filefd[i]);
m> if (sending[i]>0) numofusers–;
m> sending[i]=0;
m> getreqs[i][0]=0;
m> =====[ end of misc.c patch ]=====

m> =====[ begin cut here ]=====
m> — procscrpt.c.orig Wed Jan 2 16:27:33 2002
m> +++ procscrpt.c Wed Jan 2 16:51:47 2002
m> @@ -38,6 +38,12 @@
m> sending[i]=1;
m> strcpy(getreqs[i],tpbuf+2);
m> stripcrlf(getreqs[i]);
m> + if(doesfileexist(getreqs[i]) == 0) {
m> + strcpy(tpbuf, "Error: cannot locate ");
m> + strncat(tpbuf, getreqs[i], 256);
m> + strcat(tpbuf, " for reading!\n");
m> + logthis(3, tpbuf);
m> + }
m> fclose(filefd[i]);
m> } else if (tpbuf[0]==0) {
m> discon(i);
m> =====[ end of procscrpt.c patch ]=====

m> ±------- – -
m> + credits
m> ±---- – -
m> Bug was found by methodic of AngryPacket security group.
m> Patches by methodic.

m> ±---------- – -
m> + disclaimer
m> ±------- – -
m> The contents of this advisory are Copyright (c) 2002 AngryPacket
m> Security, and may be distributed freely provided that no fee is charged
m> for distribution and that proper credit is given. As such, AngryPacket
m> Security group, collectively or individually, shall not be held liable
m> or responsible for the misuse of any information contained herein.

m> - – ------------------------- – -
[>>(] AngryPacket Security Advisory [>(]
m> - – ------------------------- – -

–
~/ZARAZA
Вечная память святому Патрику! (Твен)