Re: kiss from [HeliSec] : htdigest core dumps (apache 1.3.14)

[Riley Hassell <riley () EEYE COM>]

There are various vulnerabilites in those tools.

I noticed a while ago htpasswd doesn't strip '\r', so I was able to add
unauthorized
entries.

There should definately be an audit done on those considering many times
they are
used by custom cgi's.


----- Original Message -----
From: "Helios Security (Helisec)" <NIKEBOY () RETEMAIL ES>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, February 16, 2001 10:48 AM
Subject: kiss from [HeliSec] : htdigest core dumps (apache 1.3.14)


> this is what i tried:
>
> bash-2.03$ htdigest
> Usage: htdigest [-c] passwordfile realm username
> The -c flag creates a new file.
> bash-2.03$ htdigest -c test kiss `perl -e '{print "A"x"1000"}'`
> Adding password for
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A!
> AAAAAAAAAAA
> in realm kiss.
> New password:
> Re-type new password:
> Segmentation fault
> bash-2.03$
>
> i have tried to exploit the buffer but, as i reported about newmail, the
> program crashes before actually jumping to the shellcode.