Bugtraq mailing list archives
not so false alarm: query cgi problem
From: apropos () sover net (Apropos of Nothing)
Date: Fri, 10 Jan 1997 18:03:30 -0500
OK, if you were to find a server that does not observe the RFC standards *AND* has changed their default maximum URL length they may be vulnerable. For interest sake, Apache defines it's max URL length like this: /* The default string lengths */ #define MAX_STRING_LEN HUGE_STRING_LEN #define HUGE_STRING_LEN 8192 I should note that I haven't gone through the code to find out if the server actually truncates the URL; I imagine it does- if it didn't it would be susceptable to a fairly easy buffer overflow- but I digress... I don't know how the NCSA server defines string lengths. Anyway if you want to exploit the problem you'll have to send a good deal of characters to the server... I've been told different string lengths by different people. tqbf () enteract com says:
You'll need to write 2,560,000 bytes just to write past the array of structures, assuming there are no alignment issues making each structure (or the array of structures) larger than that by some trivial amount.
while codewarrior () daemon org thinks:
you have to supply 1280000 bytes. ah, but you could cheat and just send stuff like >"a&a&a&a&a&a&a&a..." as the query string...hmm...okay. that cuts it to 21000 bytes.
he reasons that:
the routine in question was breaking the posted data on "&" before breaking it on "=", so that way you'd only have to provide the overflow to the last on the 10000 query things...
I haven't had a chance to try this one out, so I don't know. However, if you like to figure it out, here's the layout for the exploit: http://www.server.com/cgi-bin/query?[questionable.buffer.string][shellcode] Don't forget: [shellcode] isn't actually shell code, since just forking a shell won't do you any good... you should end your shellcode with something like /bin/cat%20/etc/passwd or /bin/bash%20-c%20cat%20/etc/passwd Also: In a normal oveflow you put a / character in front of the assembly command. When your overflowing from a cgi I *think* you use a % character instead. apropos of nothing
Current thread:
- not so false alarm: query cgi problem Apropos of Nothing (Jan 10)
- Re: not so false alarm: query cgi problem M Lyons (Jan 10)
- extra long URL attack strick -- henry strickland (Jan 10)
- Re: extra long URL attack John Robert LoVerso (Jan 11)
- Re: extra long URL attack Jyri Kaljundi (Jan 11)
- Re: extra long URL attack M Shariful Anam (Jan 11)
- Re: extra long URL attack Marc Slemko (Jan 11)
- Security release: Apache 1.1.2 Brian Behlendorf (Jan 12)
- Apache 1.1.1 overflow David Sacerdote (Jan 12)
- AIX for PowerPC exploit Georgi Guninski (Jan 12)