Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: "Jon Paul, Nollmann" <sinster () DARKWATER COM>
Date: Wed, 1 Nov 2000 09:28:58 -0800
Sprach Simon =?iso-8859-2?Q?Tam=E1s?= <simont () WESTEL900 HU>:
The Apache API ap_getpass function is a wrapper around the Os's getpass() function - in case it exists, or defines their own implementation of getpass.
[...]
Apache doesn't do this "zeroing" so it's possile to get this value.
getpass() returns a string read from the user. The ap_getpass() buffer checks for buffer overflow and copies no data if the user-supplied data is too long. The only other interesting possibility is looking at the values of passwords that _other_ people have typed. If you could trick the buffer overflow check, then there's a possibility of passing interesting values through getpass(). You run apache yourself, do what's necessary to trick getpass(), and then apache does what you want. The buffer overflow check is of type size_t, which on all the systems I have access to is unsigned int. That means we have to pass a LOT of data in order to trick the check. In any case, unless apache is setuid/setgid, this doesn't give us any new access. On sane operating systems, the string is read directly from /dev/tty: no redirection possibilities there. On windows, the apache-provided getpass() routine uses _getch() to get characters, so there's probably a redirection possibility there. So on windows, maybe we could trick an already running apache into reading a password from us? The other possibility is in getting passwords that other people have typed. That entails finding an apache to which someone has typed a password, and making it coredump. Maybe we could trick a module into displaying the data for us, but I think coredump is the best bet. We'll need a buffer overflow exploit to do that, since we can't send signals to the apache. The only pieces of code in the standard apache distribution that calls ap_getpass() is htdigest and htpasswd. Maybe we could set things up so that one of those programs crashes the next time it runs? But unfortunately, if I, as an admin, run something and it crashes after I type a password, I'm going to immediately suspect an attack (I'll prolly be wrong, but better safe than sorry). -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. The optimist proclaims that we live in the best of all possible worlds; and the pessimist fears this is true. James Branch Cabell, The Silver Stallion, 1926
Current thread:
- Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)