Format string bug in awhttpd (Re: [AP] awhttpd v2.2 local DoS)

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello methodic,

While  testing  a buffer overflow in you patch (tpbuf is only 210 bytes,
but  you're  lucky - getreqs[i] is only 100 bytes long :))) ) I've found
classical  exploitable  syslog()  format string in this extremely secure
product. Patch?

-  if (priority<=LOGLEVEL) syslog(tplev,buf);
+  if (priority<=LOGLEVEL) syslog(tplev,"%s",buf);



void logthis(int priority, char *buf) {

/*
   Priority is 1-4, with 1 being the highest priority.
   1 - CRITICAL ERRORS
   2 - ERRORS
   3 - WARNINGS
   4 - DEBUG INFORMATION
*/

#ifdef LOGLEVEL

  int tplev=0;

  if (priority==1) tplev=LOG_CRIT;
  if (priority==2) tplev=LOG_ERR;
  if (priority==3) tplev=LOG_WARNING;
  if (priority==4) tplev=LOG_WARNING; /* LOG_DEBUG Doesn't show up in
                                         /var/messages by default, so... */

  if (priority<=LOGLEVEL) syslog(tplev,buf);

#endif

}


--Friday, January 04, 2002, 2:13:48 AM, you wrote to bugtraq () securityfocus com:

m>                   - -- ------------------------- -- -
[>>(]                 AngryPacket Security Advisory                 [>(]
m>                   - -- ------------------------- -- -

m> +--------------------- -- -
m> + advisory information
m> +------------------ -- -
m> author:       methodic <methodic () slartibartfast angrypacket com>
m> release date: 01/03/2002
m> homepage:     http://sec.angrypacket.com
m> advisory id:  0x0000

m> +-------------------- -- -
m> + product information
m> +----------------- -- -
m> software:     Anti-Web httpd (awhttpd)
m> author:       HardCore Software
m> homepage:     http://hardcoresoftware.cjb.net/awhttpd/
m> description:
m>      "Anti-Web httpd is a single-process Web server that relies on its
m>       inherent simplicity to be robust, and secure."

m> +---------------------- -- -
m> + vulnerability details
m> +------------------- -- -
m> problem:      local denial-of-service
m> affected:     awhttpd 2.2 and perhaps earlier versions
m> explaination: any local user with write access to awhttpd's html
m>               directory can crash the daemon by crafting a special
m>               script which is parsed by awhttpd's scripting engine
m>               (which is enabled by default). the offending code
m>               exists on line 29 of misc.c:

m>               if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);

m>               a sample awhttpd script looks like this:
m>               # test.cgi
m>               --AWHTTPD SCRIPT--
m>               echo "this is a test"
m>               F:test.html

m>               the problem is if test.html doesn't exist in the html
m>               directory, then awhttpd will crash on the fclose();
m> status:       vendor was notified
m> exploit:      see above
m> fix:          apply the patches below or disable the scripting engine by
m>               editing config.h in the root source directory of awhttpd.

m> =====[ begin cut here ]=====
m> --- misc.c.orig Wed Jan  2 16:22:24 2002
m> +++ misc.c      Wed Jan  2 16:26:37 2002
m> @@ -26,7 +26,7 @@
 
m>  void discon(int i) {
m>    close(infd[i]);
m> -  if (filefd[i]!= (FILE *) -1) fclose(filefd[i]);
m> +  if (filefd[i]!= NULL) fclose(filefd[i]);
m>    if (sending[i]>0) numofusers--;
m>    sending[i]=0;
m>    getreqs[i][0]=0;
m> =====[ end of misc.c patch ]=====

m> =====[ begin cut here ]=====
m> --- procscrpt.c.orig    Wed Jan  2 16:27:33 2002
m> +++ procscrpt.c Wed Jan  2 16:51:47 2002
m> @@ -38,6 +38,12 @@
m>    sending[i]=1;
m>    strcpy(getreqs[i],tpbuf+2);
m>    stripcrlf(getreqs[i]);
m> +  if(doesfileexist(getreqs[i]) == 0) {
m> +       strcpy(tpbuf, "Error: cannot locate ");
m> +       strncat(tpbuf, getreqs[i], 256);
m> +       strcat(tpbuf, " for reading!\n");
m> +       logthis(3, tpbuf);
m> +  }
m>    fclose(filefd[i]);
m>  } else if (tpbuf[0]==0) {
m>    discon(i);
m> =====[ end of procscrpt.c patch ]=====

m> +-------- -- -
m> + credits
m> +----- -- -
m> Bug was found by methodic of AngryPacket security group.
m> Patches by methodic.

m> +----------- -- -
m> + disclaimer
m> +-------- -- -
m> The contents of this advisory are Copyright (c) 2002 AngryPacket
m> Security, and may be distributed freely provided that no fee is charged
m> for distribution and that proper credit is given. As such, AngryPacket
m> Security group, collectively or individually, shall not be held liable
m> or responsible for the misuse of any information contained herein.

m>                   - -- ------------------------- -- -
[>>(]                 AngryPacket Security Advisory                 [>(]
m>                   - -- ------------------------- -- -


-- 
~/ZARAZA
Вечная память святому Патрику! (Твен)