Bugtraq mailing list archives

not so false alarm: query cgi problem

From: apropos () sover net (Apropos of Nothing)
Date: Fri, 10 Jan 1997 18:03:30 -0500


OK, if you were to find a server that does not observe the RFC standards
*AND* has changed their default maximum URL length they may be vulnerable.

For interest sake, Apache defines it's max URL length like this:

/* The default string lengths */
#define MAX_STRING_LEN HUGE_STRING_LEN
#define HUGE_STRING_LEN 8192

I should note that I haven't gone through the code to find out if the
server actually truncates the URL; I imagine it does- if it didn't it would
be susceptable to a fairly easy buffer overflow- but I digress...  I don't
know how the NCSA server defines string lengths.

Anyway if you want to exploit the problem you'll have to send a good deal
of characters to the server... I've been told different string lengths by
different people.

tqbf () enteract com says:

You'll need to write 2,560,000 bytes just to write past the array of
structures, assuming there are no alignment issues making each structure
(or the array of structures) larger than that by some trivial amount.


while codewarrior () daemon org thinks:

you have to supply 1280000 bytes. ah, but you could cheat and just send
stuff like >"a&a&a&a&a&a&a&a..." as the query string...hmm...okay.  that
cuts it to 21000 bytes.


he reasons that:

the routine in question was breaking the posted data on "&" before breaking
it on "=", so that way you'd only have to provide the overflow to the last
on the 10000 query things...


I haven't had a chance to try this one out, so I don't know.  However, if
you like to figure it out, here's the layout for the exploit:

http://www.server.com/cgi-bin/query?[questionable.buffer.string][shellcode]

Don't forget: [shellcode] isn't actually shell code, since just forking a
shell won't do you any good... you should end your shellcode with something
like /bin/cat%20/etc/passwd or /bin/bash%20-c%20cat%20/etc/passwd

Also:  In a normal oveflow you put a / character in front of the assembly
command.  When your overflowing from a cgi I *think* you use a % character
instead.

apropos of nothing

Current thread:

not so false alarm: query cgi problem Apropos of Nothing (Jan 10)
- Re: not so false alarm: query cgi problem M Lyons (Jan 10)
- extra long URL attack strick -- henry strickland (Jan 10)
  - Re: extra long URL attack John Robert LoVerso (Jan 11)
  - Re: extra long URL attack Jyri Kaljundi (Jan 11)
  - Re: extra long URL attack M Shariful Anam (Jan 11)
  - Re: extra long URL attack Marc Slemko (Jan 11)
  - Security release: Apache 1.1.2 Brian Behlendorf (Jan 12)
  - Apache 1.1.1 overflow David Sacerdote (Jan 12)
  - AIX for PowerPC exploit Georgi Guninski (Jan 12)