Webboard: 3.1.12 search.cgi remote gaining shell access exploit fix

[Alexander Barkov]

Author: Alexander Barkov
Email: [EMAIL PROTECTED]
Message:
Thanks. This fixed in 3.1.13 sources.
> 
> Bad news. I just check your very recent search.c v1.23 via WWW cvs and see that you 
>add tmplt= variable parsing there. Previous buffer overflow (I post the patch for) 
>overflows data segment and stack by some indirect tricks, but new tmplt= parsing 
>allow direct writing to the stack because template[] is on the stack of main(). 
>Dangerous code is:
> sprintf(template,"%s%s%s",UDM_CONF_DIR,UDMSLASHSTR,token+6);
> It overflows even with my posted fix because UDMSTRSIZ for token increased by 
>UDM_CONF_DIR+UDMSLASHSTR count characters. If someone have UDM_CONF_DIR long enough 
>for shell code, he'll got it.
> 
> 

Reply: 

___
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]

Webboard: 3.1.12 search.cgi remote gaining shell access exploit fix

[Andrey A. Chernov]

Author: Andrey A. Chernov
Email: [EMAIL PROTECTED]
Message:
> Please don't post in Russian here... 

Ok.

Bad news. I just check your very recent search.c v1.23 via WWW cvs and see that you 
add tmplt= variable parsing there. Previous buffer overflow (I post the patch for) 
overflows data segment and stack by some indirect tricks, but new tmplt= parsing allow 
direct writing to the stack because template[] is on the stack of main(). Dangerous 
code is:
sprintf(template,"%s%s%s",UDM_CONF_DIR,UDMSLASHSTR,token+6);
It overflows even with my posted fix because UDMSTRSIZ for token increased by 
UDM_CONF_DIR+UDMSLASHSTR count characters. If someone have UDM_CONF_DIR long enough 
for shell code, he'll got it.



Reply: 

___
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]

Webboard: 3.1.12 search.cgi remote gaining shell access exploit fix

[Alexander Barkov]

Author: Alexander Barkov
Email: [EMAIL PROTECTED]
Message:
Please don't post in Russian here...

> Íàäî åù¸ ïðîâåðèòü âñå ìåñòà, ãäå ïàðñèòñÿ token.
> Ñì. îïèñàíèå àíàëîãè÷íîãî áàãà íà http://www.void.ru/news/0103/19.html
> 

Reply: 

___
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]

Webboard: 3.1.12 search.cgi remote gaining shell access exploit fix

[Andrey A. Chernov]

Author: Andrey A. Chernov
Email: [EMAIL PROTECTED]
Message:
Íàäî åù¸ ïðîâåðèòü âñå ìåñòà, ãäå ïàðñèòñÿ token.
Ñì. îïèñàíèå àíàëîãè÷íîãî áàãà íà http://www.void.ru/news/0103/19.html


Reply: 

___
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]

Webboard: 3.1.12 search.cgi remote gaining shell access exploit fix

[Andrey A. Chernov]

Author: Andrey A. Chernov
Email: [EMAIL PROTECTED]
Message:
--- src/search.c.oldWed Feb 28 15:28:10 2001
+++ src/search.cThu Apr 19 18:02:10 2001
@@ -1269,7 +1269,8 @@
strcpy(template,env);

if((env=getenv("QUERY_STRING"))){
-   strcpy(query_string,env);
+   strncpy(query_string,env,UDMSTRSIZ-1);
+   query_string[UDMSTRSIZ-1] = '\0';
if((env=getenv("REDIRECT_STATUS"))){

/* Check Apache internal redirect  */
@@ -1316,8 +1317,10 @@
/* or under server which do not   */
/* pass an empty QUERY_STRING var */

-   if(argv[1])
-   sprintf(query_string,"q=%s",argv[1]);
+   if(argv[1]) {
+   strcpy(query_string, "q=");
+   strncat(query_string, argv[1], UDMSTRSIZ-1-2);
+   }
if(!template[0])
sprintf(template,"%s/%s", UDM_CONF_DIR,"search.htm");
}


Reply: 

___
If you want to unsubscribe send "unsubscribe general"
to [EMAIL PROTECTED]