[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)

To: Slotto Corleone <slotto@xxxxxxxxx>
Subject: Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Fri, 30 Apr 2004 19:49:54 +0400

Dear Slotto Corleone,



--Friday, April 30, 2004, 3:43:15 AM, you wrote to 
full-disclosure@xxxxxxxxxxxxxxxx:


SC> - sphiro/libhttp/http_socks.c
SC>  int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
SC> ...
SC>  char buffer[MAX_READ +1];
SC>  char auth_buff[MAX_READ+1];
SC>  char filename[128];
SC> ...
SC> ...

<skipped>

SC>  sprintf(filename,"%s%s",config->webroot,request);  <-- oops

According  to information you provided this is stack overflow, not heap.
And  in  this  very  case it looks not to be exploitable, because behind
filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
I  may  be  wrong,  full  annalists  of  source  code  required  to make
conclusion.

-- 
~/ZARAZA
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî 
ïðî÷èòàòü. (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
  - From: Slotto Corleone

Prev by Date: RE: [Full-Disclosure] viruses being sent to list
Next by Date: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
Previous by thread: Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Next by thread: Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Index(es):
- Date
- Thread