[Please upgrade if you run thttpd on any platform -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]> From: <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> Subject: [Full-Disclosure] Remote overflow in thttpd Date: Mon, 27 Oct 2003 21:12:40 +0100 ----------------------------------------------------------------------- Texonet Security Advisory 20030908 ----------------------------------------------------------------------- Advisory ID : TEXONET-20030908=20 Authors : Joel Soderberg and Christer Oberg Issue date : Monday, September 8, 2003 Publish date : Monday, October 27, 2003 Application : thttpd Version(s) : 2.21 - 2.23b1 Platforms : FreeBSD, SunOS 4, Solaris 2, BSD/OS, Linux, OSF Availability : http://www.texonet.com/advisories/TEXONET-20030908.txt ----------------------------------------------------------------------- Problem: ----------------------------------------------------------------------- Remote overflow allows attacker to partially overwrite ebp register and execute arbitrary code. Description: ----------------------------------------------------------------------- The problem is found in libhttpd.c in the function defang() static void defang( char* str, char* dfstr, int dfsize ) { char* cp1; char* cp2; for ( cp1 =3D str, cp2 =3D dfstr; *cp1 !=3D '\0' && cp2 - dfstr < dfsize - 1; ++cp1, ++cp2 ) { switch ( *cp1 ) { case '<': *cp2++ =3D '&'; *cp2++ =3D 'l'; *cp2++ =3D 't'; *cp2 =3D ';'; break; case '>': *cp2++ =3D '&'; *cp2++ =3D 'g'; *cp2++ =3D 't'; *cp2 =3D ';'; break; default: *cp2 =3D *cp1; break; } } *cp2 =3D '\0'; } So when '<' or '>' are found in the input we "pay for 1 and get 3 for=20 free", this allows us overwrite bits of ebp and indirectly control eip=20 (assuming its been compiled with gcc < 3.0) =20 Workaround: ----------------------------------------------------------------------- Upgrade to version 2.24 Disclosure Timeline: ----------------------------------------------------------------------- 09/08/2003: Vendor notified by e-mail 09/12/2003: Vendor replies with working fix 10/27/2003: Public release About Texonet: ----------------------------------------------------------------------- Texonet is a Swedish based security company with a focus on penetration=20 testing / security assessments, research and development. Contacting Texonet: ----------------------------------------------------------------------- E-mail: advisories(-at-)texonet.com Homepage: http://www.texonet.com/ Phone: +46-8-55174611 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd