Vulnerability Development mailing list archives
thttpd 2.04 stack overflow
From: djb () CR YP TO (D. J. Bernstein)
Date: Wed, 10 Nov 1999 01:05:04 -0000
thttpd is a single-process web server. According to Netcraft, it's used on 1.82% of all HTTP servers, behind only Apache, IIS, Enterprise, and Rapidsite. The current version is thttpd 2.04; as far as I know, the comments below apply to all versions back to 1.90a. The thttpd web page says that thttpd is simple, small, portable, fast, and secure; it ``goes to great lengths to protect the web server machine against attacks and breakins from other sites.'' Sounds good, doesn't it? Today I glanced at the thttpd 2.04 source code, wondering how seriously thttpd parsed HTTP If-Modified-Since fields. I was horrified to see that tdate_parse() scans %[a-zA-Z] into a fixed-size stack buffer. I tried running thttpd on a throwaway account, and feeding it an If-Modified-Since line with 1300 x's. It dumped core. This is something that any attacker on the Internet could do to any thttpd server, taking down web service until thttpd is restarted. Presumably, at least on little-endian machines, a careful attacker can take over the thttpd server---i.e., take over web service, and anything else running as ``nobody''---by overwriting only two or three bytes of the return address. But I haven't spent any more time looking at the code. Perhaps other people here would be interested in investigating thttpd's security in more detail. (Disclaimer: I'm writing my own HTTP server.) ---Dan
Current thread:
- ssh-1.2.27 remote buffer overflow - exploitable Frank (Nov 08)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Jochen Bauer (Nov 09)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Daniel Jacobowitz (Nov 09)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Markus Friedl (Nov 11)
- [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] Blue Boar (Nov 13)
- Re: ssh-1.2.27 remote buffer overflow - exploitable Daniel Jacobowitz (Nov 09)
- Re: ssh-1.2.27 remote buffer overflow - exploitable -- OFF TOPIC Bill Smargiassi (Nov 09)
- thttpd 2.04 stack overflow D. J. Bernstein (Nov 09)