Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)

[qitest1 <qitest1 () cercaband com>]

  /* qitest1's security advisory #002
   */
  
  Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)
  
+Systems Affected
  Any system running GazTek HTTP Daemon v1.4 (ghttpd)

+Program Description
  ghttpd is a small and easy to configure HTTP server with CGI support, 
  tested on Linux. It can run as a standalone daemon or can be called
  by inetd. It has been written by Gareth Owen <gaz () athene co uk>, 
  http://members.xoom.com/gaztek.

+Vulnerability And Impact
  A remote attacker can overflow a buffer and execute arbitrary code 
  on the system with the privileges of the user running ghttpd, that
  is nobody, as all the privileges are dropped out. 
  Infact in util.c at line 219 we have:
        va_start(ap, format);           // format it all into temp
        vsprintf(temp, format, ap);
        va_end(ap);   

+Solution
  The author was contacted but he did not answered. Apply a patch to 
  the source code of the daemon or remove it from your system. 

+Exploit
  This bug can be succesfully exploited by a remote attacker. There is 
  a demonstrative exploit code attached to this advisory. See the code
  for more info.

-- 
/* qitest1              http://qitest1.cjb.net *
 *    ``Ut tensio, sic vis. 69 tecum sis.''    *
 * main(){if(unsatisfied == 69) try_come(in);} */

Attachment: ghttpd.c
Description: