Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
thttpd defang() Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008007
|
|
CVE Reference: CAN-2003-0899
(Links to External Site)
|
Updated: Oct 29 2003
|
Original Entry Date: Oct 27 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.21 - 2.23b1
|
Description: A buffer overflow vulnerability was reported in the thttpd web server daemon. A remote user can execute arbitrary code.
Texonet reported that a flaw in the defang() function in libhttpd.c allows a remote user to send specially crafted data containing
the '<' or '>' characters to trigger an overflow and overwrite the EBP register to execute arbitrary code.
The following notification
timeline is provided:
09/08/2003: Vendor notified by e-mail
09/12/2003: Vendor replies with working fix
10/27/2003: Public
release
|
Impact: A remote user can execute arbitrary code on the target server with the privileges of the web server process.
|
Solution: The vendor has released a fixed version (2.24), available at:
http://www.acme.com/software/thttpd/thttpd.html
http://www.acme.com/software/thttpd/thttpd-2.24.tar.gz
|
Vendor URL: www.acme.com/software/thttpd/thttpd.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: <full-disclosure@texonet.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 27 Oct 2003 21:12:40 +0100
From: <full-disclosure@texonet.com>
Subject: [Full-Disclosure] Remote overflow in thttpd
|
This is a multi-part message in MIME format.
------=_NextPart_000_0026_01C39CCF.0E3C9300
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Texonet Security Advisory 20030908
-----------------------------------------------------------------------
Advisory ID : TEXONET-20030908=20
Authors : Joel Soderberg and Christer Oberg
Issue date : Monday, September 8, 2003
Publish date : Monday, October 27, 2003
Application : thttpd
Version(s) : 2.21 - 2.23b1
Platforms : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF
Availability : http://www.texonet.com/advisories/TEXONET-20030908.txt
-----------------------------------------------------------------------
Problem:
-----------------------------------------------------------------------
Remote overflow allows attacker to partially overwrite ebp register and
execute arbitrary code.
Description:
-----------------------------------------------------------------------
The problem is found in libhttpd.c in the function defang()
static void
defang( char* str, char* dfstr, int dfsize )
{
char* cp1;
char* cp2;
for ( cp1 =3D str, cp2 =3D dfstr;
*cp1 !=3D '\0' && cp2 - dfstr < dfsize - 1;
++cp1, ++cp2 )
{
switch ( *cp1 )
{
case '<':
*cp2++ =3D '&';
*cp2++ =3D 'l';
*cp2++ =3D 't';
*cp2 =3D ';';
break;
case '>':
*cp2++ =3D '&';
*cp2++ =3D 'g';
*cp2++ =3D 't';
*cp2 =3D ';';
break;
default:
*cp2 =3D *cp1;
break;
}
}
*cp2 =3D '\0';
}
So when '<' or '>' are found in the input we "pay for 1 and get 3 for=20
free", this allows us overwrite bits of ebp and indirectly control eip=20
(assuming its been compiled with gcc < 3.0) =20
Workaround:
-----------------------------------------------------------------------
Upgrade to version 2.24
Disclosure Timeline:
-----------------------------------------------------------------------
09/08/2003: Vendor notified by e-mail
09/12/2003: Vendor replies with working fix
10/27/2003: Public release
About Texonet:
-----------------------------------------------------------------------
Texonet is a Swedish based security company with a focus on penetration=20
testing / security assessments, research and development.
Contacting Texonet:
-----------------------------------------------------------------------
E-mail: advisories(-at-)texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
------=_NextPart_000_0026_01C39CCF.0E3C9300
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2><FONT=20
face=3DCourier>----------------------------------------------------------=
-------------<BR>Texonet=20
Security Advisory=20
20030908<BR>-------------------------------------------------------------=
----------<BR>Advisory=20
ID : TEXONET-20030908=20
<BR>Authors : Joel Soderb
erg =
and=20
Christer Oberg<BR>Issue date : Monday, September =
8,=20
2003<BR>Publish date : Monday, October 27,=20
2003<BR>Application :=20
thttpd<BR>Version(s) : 2.21 -=20
2.23b1<BR>Platforms : FreeBSD, SunOS 4, =
Solaris 2,=20
BSD/OS, Linux, OSF<BR>Availability : </FONT><A=20
href=3D"http://www.texonet.com/advisories/TEXONET-20030908.txt"><FONT=20
face=3DCourier>http://www.texonet.com/advisories/TEXONET-20030908.txt</FO=
NT></A><BR><FONT=20
face=3DCourier>----------------------------------------------------------=
-------------</FONT></FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV><FONT size=3D2>
<DIV><BR><FONT=20
face=3DCourier>Problem:<BR>----------------------------------------------=
-------------------------<BR>Remote=20
overflow allows attacker to partially overwrite ebp register =
and<BR>execute=20
arbitrary code.</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><BR><FONT=20
face=3DCourier>Description:<BR>------------------------------------------=
-----------------------------<BR>The=20
problem is found in libhttpd.c in the function defang()</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier>static void<BR>defang( char* str, char* dfstr, =
int=20
dfsize )<BR> {<BR> char*=20
cp1;<BR> char* cp2;</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier> for ( cp1 =3D str, cp2 =3D=20
dfstr;<BR> *cp1 !=3D '\0' && cp2 - dfstr < dfsize =
-=20
1;<BR> ++cp1, ++cp2 )<BR> {<BR> switch ( *cp1
=20
)<BR> {<BR> &nbs
p; case=20
'<':<BR> *cp2++ =3D=20
'&';<BR> *cp2++ =3D =
'l';<BR> =20
*cp2++ =3D 't';<BR> *cp2 =3D=20
';';<BR> break;<BR> &
nbsp; case =
'>':<BR> *cp2++ =3D=20
'&';<BR> *cp2++ =3D =
'g';<BR> =20
*cp2++ =3D 't';<BR> *cp2 =3D=20
';';<BR> break;<BR> &
nbsp;=20
default:<BR> *cp2 =3D =
*cp1;<BR> =20
break;<BR> }<BR> }<BR> &
nbsp; =
*cp2 =3D=20
'\0';<BR> }</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier>So when '<' or '>' are found in the =
input we "pay=20
for 1 and get 3 for <BR>free", this allows us overwrite bits of ebp and=20
indirectly control eip <BR>(assuming its been compiled with gcc < =
3.0) =20
</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><FONT=20
face=3DCourier>Workaround:<BR>-------------------------------------------=
----------------------------<BR>Upgrade=20
to version 2.24</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><BR><FONT face=3DCourier>Disclosure=20
Timeline:<BR>------------------------------------------------------------=
-----------<BR>09/08/2003:=20
Vendor notified by e-mail<BR>09/12/2003: Vendor replies with working=20
fix<BR>10/27/2003: Public release</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><BR><FONT face=3DCourier>About=20
Texonet:<BR>-------------------------------------------------------------=
----------<BR>Texonet=20
is a Swedish based security company with a focus on penetration =
<BR>testing /=20
security assessments, research and development.</FONT></DIV>
<DIV><FONT face=3DCourier></FONT> </DIV>
<DIV><BR><FONT face=3DCourier>Contacting=20
Texonet:<BR>-------------------------------------------------------------=
----------<BR>E-mail: =20
advisories(-at-)texonet.com<BR>Homepage: </FONT><A=20
href=3D"http://www.texonet.com/"><FONT=20
face=3DCourier>http://www.texonet.com/</FONT></A><BR><FONT=20
face=3DCourier>Phone: =20
+46-8-55174611<BR></FONT></FONT></DIV></BODY></HTML>
------=_NextPart_000_0026_01C39CCF.0E3C9300--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
