[Full-Disclosure] Remote overflow in thttpd

[full-disclosure]

----------------------------------------------------------------------- Texonet Security Advisory 20030908 ----------------------------------------------------------------------- Advisory ID    : TEXONET-20030908 Authors        : Joel Soderberg and Christer Oberg Issue date     : Monday, September 8, 2003 Publish date   : Monday, October 27, 2003 Application    : thttpd Version(s)     : 2.21 - 2.23b1 Platforms      : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF Availability   : http://www.texonet.com/advisories/TEXONET-20030908.txt -----------------------------------------------------------------------   Problem: ----------------------------------------------------------------------- Remote overflow allows attacker to partially overwrite ebp register and execute arbitrary code.   Description: ----------------------------------------------------------------------- The problem is found in libhttpd.c in the function defang()   static void defang( char* str, char* dfstr, int dfsize )     {     char* cp1;     char* cp2;       for ( cp1 = str, cp2 = dfstr;    *cp1 != '\0' && cp2 - dfstr < dfsize - 1;    ++cp1, ++cp2 )  {  switch ( *cp1 )      {      case '<':      *cp2++ = '&';      *cp2++ = 'l';      *cp2++ = 't';      *cp2 = ';';      break;      case '>':      *cp2++ = '&';      *cp2++ = 'g';      *cp2++ = 't';      *cp2 = ';';      break;      default:      *cp2 = *cp1;      break;      }  }     *cp2 = '\0';     }   So when '<' or '>' are found in the input we "pay for 1 and get 3 for free", this allows us overwrite bits of ebp and indirectly control eip (assuming its been compiled with gcc < 3.0)        Workaround: ----------------------------------------------------------------------- Upgrade to version 2.24   Disclosure Timeline: ----------------------------------------------------------------------- 09/08/2003: Vendor notified by e-mail 09/12/2003: Vendor replies with working fix 10/27/2003: Public release   About Texonet: ----------------------------------------------------------------------- Texonet is a Swedish based security company with a focus on penetration testing / security assessments, research and development.   Contacting Texonet: ----------------------------------------------------------------------- E-mail:    advisories(-at-)texonet.com Homepage:  http://www.texonet.com/ Phone:     +46-8-55174611