7780148 2002-01-09 18:15 -0500 /193 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-10 20:00 av Brevbäraren
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20468>
Kommentar till text 7773654 av <bugzilla@redhat.com>
Ärende: Details on the updated namazu packages that are available
------------------------------------------------------------
From: KF <dotslash@snosoft.com>
Cc: bugtraq@securityfocus.com
Message-ID: <3C3CCEFE.6080501@snosoft.com>
Doh! Looks like I slept on this one too long... heres some of my
personal notes on exploiting this issue. Have fun.
-KF
[root@linuxppc root]# cat misc/namzu-overflow.txt
http://www.altavista.com/sites/search/web?q=url%3Anamazu.cgi&kl=XX
This is what caught my attention [msg(XXX)] like 12 days old
[msg(XXX)] 2001-12-12 NOKUBI Takatsugu <knok@daionet.gr.jp>
[msg(XXX)] (nmz_choose_msgfile_suffix): Fixed buffer overflow.
[msg(XXX)]
http://cvs.namazu.org/~checkout~/namazu/ChangeLog?rev=1.912&content-type=text/plain
2001-12-11 NOKUBI Takatsugu <knok@daionet.gr.jp>
* nmz/field.c: Fixed possibility of buffer overflow.
2001-12-04 NOKUBI Takatsugu <knok@daionet.gr.jp>
* src/{form.c,rcfile.c,result.c}: Fixed possibility of buffer
overflow.
* src/cgi.c (validate_idxname): Fixed another cross-site scripting
vulnerability.
(cgi_get_vars): Fixed possibility of buffer overflow.
2001-07-03 Yoshinori TAKESAKO <takesako@namazu.org>
* src/result.c (my_strcasestr): Checked a buffer overflow,
the case where a character sequence was over at the 1st byte
of EUC-JP.
Here is my research on the above issues:
There are several buffer overflows in the QUERY_STRING options
Unfortunately the check in namazu.h screws us...
[root@linuxppc src]# grep CGI_QUERY_MAX *.h
namazu.h: CGI_QUERY_MAX = 512, /* Max length of a CGI query */
cgi.c: if (contlen > CGI_QUERY_MAX) {
cgi.c: printf(_("Too long QUERY_STRING"));
In other words unless you have modified namazu then you are not vuln.
Now we can exploit this via the command line as a side note
... although its not suid... [root@linuxppc src]# ./namazu
querystring `perl -e 'print "A" x 1024'` Results:
References: [ (can't open the index) ]
No document matching your query.
Aborted (core dumped)
The eip is easily overwritten.Here only the first 2 bytes...
Starting program: /root/namazu-2.0.5/src/../src/.libs/lt-namazu yamom
`perl -e 'print "A" x 1342'`
Program received signal SIGILL, Illegal instruction.
0x41412f4c in ?? ()
So just for theory sake and cuz I want to
code something...
we will say that we are using a Custom namazu that we modified the
following values in namazu.h.
CGI_QUERY_MAX = 512, /* Max length of a CGI query */
CGI_INDEX_NAME_MAX = 64, /* Max length of an index name in a CGI
query */
Then we could be exploited.
cgi-bin/namazu.cgi?query=overflow&whence=0=en&idxname=<bof here> would
be a quick example.
-KF
bugzilla@redhat.com wrote:
> ---------------------------------------------------------------------
> Red Hat, Inc. Red Hat Security Advisory
>
> Synopsis: Updated namazu packages are available
> Advisory ID: RHSA-2001:179-05
> Issue date: 2001-12-27
> Updated on: 2002-01-09
> Product: Red Hat Linux
> Keywords: namazu cross-site scripting buffer overflow
> Cross references:
> Obsoletes: RHSA-2001:162
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated namazu packages are available for Red Hat Linux 7.0J. These
> packages fix cross-site scripting vulnerabilities. It also fixes a possible
> buffer overflow.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.0J - i386
>
> 3. Problem description:
>
> Namazu is a full-text search engine. Namazu 2.0.9 and earlier may
> inadvertently include malicious HTML tags or scripts in a dynamically
> generated page, based on unvalidated input from untrustworthy sources.
> Also, a buffer overflow vulnerability exists in the buffer size of an
> environment variable.
>
> These packages update Namazu to version 2.0.10 which is not vulnerable to
> these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade. Only those
> RPMs which are currently installed will be updated. Those RPMs which are
> not installed but included in the list will not be updated. Note that you
> can also use wildcards (*.rpm) if your current directory *only* contains the
> desired RPMs.
>
> Please note that this update is also available via Red Hat Network. Many
> people find this an easier way to apply updates. To use Red Hat Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the appropriate
> RPMs being upgraded on your system.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
>
>
> 6. RPMs required:
>
> Red Hat Linux 7.0J:
>
> SRPMS:
> ftp://updates.redhat.com/7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
>
> i386:
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
>
>
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> 521c9faef31dcd865d3e0090cd023d70 7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
> ae5d586caf2098a0b9aefcc7af6522a9 7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> 904dc3993c140794373471e8a1c64c61 7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
> af30f16968c527ac9e7669c812618cde 7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
>
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/about/contact/pgpkey.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> http://www.namazu.org/#news
>
>
> Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
>
>
>
>
(7780148) /KF <dotslash@snosoft.com>/-----(Ombruten)
Kommentar i text 7782429 av NOKUBI Takatsugu <knok@daionet.gr.jp>
7782429 2002-01-11 10:07 -0000 /57 rader/ NOKUBI Takatsugu <knok@daionet.gr.jp>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-11 05:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: dotslash@snosoft.com
Extern kopiemottagare: namazu-devel-ja@namazu.org
Extern kopiemottagare: namazu-devel-en@namazu.org
Mottagare: Bugtraq (import) <20491>
Kommentar till text 7780148 av KF <dotslash@snosoft.com>
Ärende: Re: Details on the updated namazu packages that are available
------------------------------------------------------------
From: knok@daionet.gr.jp (NOKUBI Takatsugu)
To: bugtraq@securityfocus.com
Cc: dotslash@snosoft.com, namazu-devel-ja@namazu.org,
namazu-devel-en@namazu.org
Message-ID: <200201110108.KAA12823@ns1.eal.or.jp>
In article <3C3CCEFE.6080501@snosoft.com>
dotslash@snosoft.com writes:
>> Doh! Looks like I slept on this one too long... heres some of my
>> personal notes on exploiting this issue. Have fun.
Thanks for your report.
>> Here is my research on the above issues:
>> There are several buffer overflows in the QUERY_STRING options
>> Unfortunately the check in namazu.h screws us...
Yes, I had recognized it. So there is a notice about it as the
follwing;
libnamazu.h:
enum {
/* Size of general buffers. This MUST be larger than QUERY_MAX */
BUFSIZE = 1024,
QUERY_TOKEN_MAX = 32, /* Max number of tokens in the query. */
QUERY_MAX = 256, /* Max length of the query. */
INDEX_MAX = 64 /* Max number of databases */
};
.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.
>> In other words unless you have modified namazu then you are not vuln.
>> Now we can exploit this via the command line as a side note ... although
>> its not suid...
>> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
>> Results:
>>
>> References: [ (can't open the index) ]
>>
>> No document matching your query.
>> Aborted (core dumped)
CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.
At all events, I'll fix it in next release. Thanks.
--
NOKUBI Takatsugu
E-mail: knok@daionet.gr.jp
knok@namazu.org / knok@debian.org
(7782429) /NOKUBI Takatsugu <knok@daionet.gr.jp>/---