oss-sec mailing list archives
CVE id request: shttpd/mongoose/yassl embedded webserver
From: Nico Golde <oss-security+ml () ngolde de>
Date: Wed, 3 Aug 2011 17:56:46 +0200
Hi, I found a buffer overflow in the PUT processing of shttpd/mongoose/yassl embedded webserver (all based on the same source code). Can someone assign a CVE id to this? Upstream fix: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0# The bug: _shttpd_put_dir()/put_dir() function: 26 for (s = p = path + 2; (p = strchr(s, '/')) != NULL; s = ++p) { 27 len = p - path; 28 assert(len < sizeof(buf)); 29 (void) memcpy(buf, path, len); 30 buf[len] = '\0'; 31 32 /* Try to create intermediate directory */ 33 if (_shttpd_stat(buf, &st) == -1 && 34 _shttpd_mkdir(buf, 0755) != 0) 35 return (-1); 36 37 /* Is path itself a directory ? */ 38 if (p[1] == '\0') 39 return (0); 40 } The only guard here to avoid a buffer overflow with a long path is the assert call in line 28. Unfortunately this is disabled if you compile with -DNDEBUG and from what I see quite a lot of people are doing that in order to reduce the binary size (those are embedded webservers intended to be used in embedded environments). It seems quite some projects actually do that, including a deployed product embedded product I'm currently looking at (and that was rooted because of this bug). From what I see -DNDEBUG in the mongoose makefile this is also the default for the mingw binary. If this is not the case, this is still a DoS bug. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request: shttpd/mongoose/yassl embedded webserver Nico Golde (Aug 03)
- Re: CVE id request: shttpd/mongoose/yassl embedded webserver Josh Bressers (Aug 03)