oss-sec mailing list archives
Re: CVE id request: shttpd/mongoose/yassl embedded webserver
From: Josh Bressers <bressers () redhat com>
Date: Wed, 3 Aug 2011 17:00:17 -0400 (EDT)
Please use CVE-2011-2900. Thanks. -- JB ----- Original Message -----
Hi, I found a buffer overflow in the PUT processing of shttpd/mongoose/yassl embedded webserver (all based on the same source code). Can someone assign a CVE id to this? Upstream fix: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0# The bug: _shttpd_put_dir()/put_dir() function: 26 for (s = p = path + 2; (p = strchr(s, '/')) != NULL; s = ++p) { 27 len = p - path; 28 assert(len < sizeof(buf)); 29 (void) memcpy(buf, path, len); 30 buf[len] = '\0'; 31 32 /* Try to create intermediate directory */ 33 if (_shttpd_stat(buf, &st) == -1 && 34 _shttpd_mkdir(buf, 0755) != 0) 35 return (-1); 36 37 /* Is path itself a directory ? */ 38 if (p[1] == '\0') 39 return (0); 40 } The only guard here to avoid a buffer overflow with a long path is the assert call in line 28. Unfortunately this is disabled if you compile with -DNDEBUG and from what I see quite a lot of people are doing that in order to reduce the binary size (those are embedded webservers intended to be used in embedded environments). It seems quite some projects actually do that, including a deployed product embedded product I'm currently looking at (and that was rooted because of this bug). From what I see -DNDEBUG in the mongoose makefile this is also the default for the mingw binary. If this is not the case, this is still a DoS bug. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Current thread:
- CVE id request: shttpd/mongoose/yassl embedded webserver Nico Golde (Aug 03)
- Re: CVE id request: shttpd/mongoose/yassl embedded webserver Josh Bressers (Aug 03)