Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

2006.05.02
Credit: Dedi Dwianto
Risk: High
Local: No
Remote: Yes
CWE: N/A

------------------------------------------------------------------------ --------------- [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability ------------------------------------------------------------------------ --------------- Author : Dedi Dwianto Date : April, 28th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt Critical Lvl : High ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Sws Web Server version : < 0.1.7 URL : http://www.linuxprogramlama.com/ Description : SWS is web server for static web pages. SWS is very simple and fast. It's written in GCC and you can distribute with GPL license. ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~~~ A format string vulnerability in Sws Web Server allows remote attackers to cause the program to execute arbitrary. The format string vulnerability and buffer overflow can be found in sws_web_server.c ayardosyasi.h file: ------------------ ayardosyasi.h ------------------------ ........... char homedizini[50]; char defaultsayfa[50]; char hatasayfasi[100]; ........... void open_log_file (void) { .... syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot opened. "); exit (1); ........... ------------------ sws_web_server.c------------------------ cp = buf + 5; ........... if (buf[strlen (buf) - 1] == '/') { strcpy (cp, defaultsayfa); strcpy (home, homedizini); strcat (home, cp); ............. syslog(LOG_INFO, "Application finished."); free(recvBuffer); exit (1); ----------------------------------------------------------- strcpy can cause a buffer overflow in cp because it does not do bounds checking. Several potential format string and bufferoverflow vulnerabilities have been found. The problems likely exist due to user-supplied data being passed as the format specifier argument to a function in the syslog function. It may be possible for a remote attacker to cause process memory to be overwritten by supplying certain format specifiers, enabling the attacker to cause the execution of supplied shellcode. ------------------------------------------------------------------------ --- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~~~ Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top