Multiple vulnerabilities in Pico Server (pServ) v3.3

[Raphaël Rigo ML <ml () twilight-hall net>]

                Multiple vulnerabilities in Pico Server (pServ) v3.3

                                discovered by Raphaël Rigo

Product: Pico Server (pServ)
Affected Version: 3.3 (verified), <=3.3 probably too
Not affected Version: 3.4
OS affected: all
Risk: critical
Remote Exploit: yes
URL: http://pserv.sourceforge.net/

Overview
========

Pico Server is a small web server. It is meant to be portable and configurable.
    * small, portable
    * fast
    * CGI-BIN support
    * auto-indexing of directories
    * access and error logging (see p-reporter for an analyser)
    * forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behaviour, the performance and the feature set so
to be able to fit better the the requisites.

Vulnerabilities
===============

        1) Directory traversal

        A bug in the directory parsing code allows the attacker to access any
        directory the server has the right to access.

        Details :
        pServ computes the depth of the directory the user tries to access in the
        variable named depthCount. This counts is decreased when a /../ is
        encountered, unfortunately, it is also increased when /./ is
        encountered, allowing the attacker to use a /./ for each /../ to make
        sure depthCount is not negative.

        Risk : HIGH
        The attacker may gain important information about the system that could
        lead to other attacks.

        Proof of concept :
        access : http://www.example.com/./../

        Workaround :
        There is no workaround for this vulnerability.

        Solution :
        Update to v3.4

        -----------------------------------------------------------------------

        2) Remote command execution

        The directory traversal vulnerability described above also enables
        remote command execution. This may help an attacker to compromise the
        server.

        Details :
        pServ considers every request beginning with /cgi-bin/ as a script
        execution.

        Risk : CRITICAL
        The attacker may use this vulnerability to destroy data or for other
        attacks (i.e. use wget to download root exploits).

        Proof of concept :
        access : http://www.example.com/cgi-bin/./.././../usr/bin/ls

        Workaround :
        Disable cgi-bin support at compile time.

        Solution :
        Update to v3.4

        -----------------------------------------------------------------------

        3) Multiple heap overflows in cgi execution

        The lack of bounds checking for cgi arguments allows an attacker to
        overflow the allocated memory, possibly allowing for remote code
        execution.

        Details :
        Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux)
        but the attacker is only limited by the maximum request length (2048).
        The malloc'ed buffer can therefore be overflowed.

        Risk : HIGH
        Successful exploitation can lead to arbitrary code execution.

        Workaround :
        Disable cgi-bin support at compile time.

        Solution :
        Update to v3.4

        -----------------------------------------------------------------------


Timeline
========
2005-05-18        Discovery
2005-05-19        First attempt to contact developer
2005-05-21        Second attempt
2005-05-22        Developer reply
2005-06-11        Fixed version 3.4 released and advisory published