7752290 2002-01-05 18:04 +0000 /65 rader/ <rsanmcar@alum.uax.es>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-06 02:15 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20373>
Ärende: BOOZT! Standard 's administration cgi vulnerable to buffer overflow
------------------------------------------------------------
From: rsanmcar@alum.uax.es
To: bugtraq@securityfocus.com
Message-ID: <200201051802.g05I2Xp01111@apolo.uax.es>
BOOZT! is a banner management software for linux servers. It has a
remote administration system based on web. I played with version
0.9.8alpha.
Here is a reproduction of the bug:
http://127.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1
Fill the "Name Field" with enough A's (770 was be fine for me). Press
"Create New Banner". It should show this:
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Let's see what happened in error_log:
[Tue Feb 5 17:13:52 2002] [error] [client 127.0.0.1] Premature end
of script headers: /usr/local/apache/cgi-bin/boozt/admin/index.cgi
Now see what the code for the AdministrationBanners function
(src/admin/banners.c) looks like:
char name[255]="";
[...]
if ((pomus=(char *)GetFromCgi("name"))==NULL)
strcpy(name,""); else strcpy(name,pomus);
There is no boundary checking in GetFromCgi:
#define GetFromCgi(name) cgiParam(name)
const char *cgiParam(const char *name)
{
return cgiPosParam((CgiPos*)listGetByName(name));
}
const char *cgiPosParam(CgiPos *where)
{
CgiElement *w=(CgiElement*)where;
DefCheck(NULL);
[ ... code to walk over the linked list ... ]
}
This way we can write A's (or shellcode) beyond the boundaries of the
"name" variable, making the cgi crash (or give us a shell with httpd
privileges).
Rafael San Miguel
Carrasco
rsanmcar@alum.uax.es
(7752290) / <rsanmcar@alum.uax.es>/-------(Ombruten)