I have found a buffer overflow in pavuk 0.9pl28, 0.9pl27 and possibly also in other versions. It has the identifier CAN-2004-0456. When pavuk sends a request to a web server and the server sends back the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP. I have attached a patch (against 0.9pl28) for this bug and a PHP script that exhibits the problem. Versions of pavuk with this problem are distributed by Debian GNU/Linux (non-US), SUSE Linux and Gentoo Linux, as well as in FreeBSD's and OpenBSD's port collections. I finished auditing pavuk and sent off information about this to Debian, SUSE, Gentoo and upstream on the 14th of June. SUSE accidentally released their update on the 23rd... Gentoo released their advisory (please credit me) on the 30th, which was the agreed-upon release date. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/
Attachment:
index.php
Description: application/httpd-php
--- http.c.old 2001-07-30 00:06:40.000000000 +0200
+++ http.c 2004-06-14 01:33:27.000000000 +0200
@@ -1111,8 +1111,8 @@
if (!loc)
return -1;
- if (sscanf(loc, "http://%[.0-9A-Za-z_-]:%d";, proxy, &port) < 1)
- if (sscanf(loc, "%[.0-9A-Za-z_-]:%d", proxy, &port) !=2)
+ if (sscanf(loc, "http://%255[.0-9A-Za-z_-]:%d";, proxy, &port) < 1)
+ if (sscanf(loc, "%255[.0-9A-Za-z_-]:%d", proxy, &port) !=2)
return -1;
_free(docp->http_proxy);