Re: wwwcount remote exploit (@ Solaris)

[Jan.Wedekind () DE UU NET (Jan Wedekind)]

Hello all,

with Solaris (and all other systems which don't support setenv(2))
you have to use putenv(2) instead of setenv.
The modified patch is applied below.

> Program:   Count.cgi (wwwcount), a popular CGI web counter
>
> Version:   Tested on 2.3, others probably affected as well (?)
>
> OS:        All
>
> Impact:    a buffer can be overflowed in the Count.cgi program,
>            allowing remote http users to execute arbitrary commands
>            on the target machine.
>
> [...]

> The actual fix is pretty simple. Apply the following patch to the
> file main.c. Environment variables will be cutted down to their first
> 600 chars. The idea of this patch can also be adapted for other
> purposes, mainly to develop a generic cgi-bin wraper.

Patch for Solaris and other OS with putenv(); also add -DHAVE_PUTENV
in the Makefile of wwwcount 2.3:

58a59,80
> void wrapit(char *envvar,int esize)
> {
>    char *tmp,*tmp2;
>    tmp=malloc(esize+strlen(envvar)+2);
>    if(tmp==NULL)
>      {
>       Debug2("Can't allocate wrapper memory buffer.",0,0);
>       exit(1);
>      }
> #ifdef HAVE_PUTENV
>    strcpy(tmp, envvar);
>    strcat(tmp, "=");
>    strncat(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
>    tmp[strlen(envvar)+1+esize]='\0';
>    putenv(tmp);
> #else
>    strncpy(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
>    tmp[esize]='\0';
>    setenv(envvar,tmp,1);
> #endif
> }
89c111
<     char
---
>    char
185a208,213
>    /*
>     * avoid any buffer overflow problem by cutting some env variables
>     */
>    wrapit("QUERY_STRING",600);
>    wrapit("HTTP_REFERER",600);
>    wrapit("HTTP_USER_AGENT",600);


Mit freundlichen Grüßen / best regards,

UUNET Deutschland GmbH
Jan Wedekind
(Dipl.-Informatiker)

Web Competence Center             UUNET Deutschland GmbH
Tel. +49 231 972 2280             Emil-Figge-Straße 80
Fax. +49 231 972 1180             44227 Dortmund, Germany
Jan.Wedekind () de uu net            URL: http://www.uunet.de