Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Security bugs in nokia voyager, BO dev.

From: gregory duchemin <c3rb3r () HOTMAIL COM>
Date: Fri, 29 Sep 2000 16:13:05 GMT
Voyager works with a multipurposes cgi called html_page that make a call to
html_gen with a filename as a template script. Html_gen produce the final
html page returned by apache.
if u test this kind of url:
http://your-nokia/http://10.1.152.2/cgi-bin/html_page?TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
u 'll get a segfault error page.
if u test it with a command line, u ll reproduce the same signal.
Obviously, html_gen is unable to manage properly a big amount a data in some
of its parameters. IH is one of the html_page's paramaters that does the
job.

with telnet, try (under tcsh)

#setenv QUERY_STRING
"TEMPLATE=arp&IH=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#/web/cgi-bin/html_page

Content-type: text/html

<br>Html_gen exited because of signal:  Segmentation fault<br>
nokia1[admin]#

i don't exactly know the format of arguments html_page feeds to html_gen and
so how to reproduce signal SIGSEG directly with html_gen.
( how can i find it with gdb ? )

i ll try a precompiled freebsd compiler to wrote some tests program on my
ipso 3.2.1
help would be appreciate.

Note:

because u already must be administrator to access the voyager setup,
security impact is relatively low considering that default configuration
wasn't poorly modified.
because nokia ipso isn't dedicated for a multi-user work usage and noone
else root should be able to login, impact for local rooting is low too
considering the same things that above.

Gregory Duchemin




It's supposed to be a FreeBSD branch.  It's pretty different from
a regular install, from what I recall.  Where's the overflow?

                                        BB

gregory duchemin wrote:
>
> hi,
>
> is there someone here that exactly know from wich *bsd is nokia ipso
> originated from ?
> I found last day an overflow but naturally no source, no compiler, just
a
> gdb...has one of u successfully tried to install and use a pre-compiled
> compiler on this kind of system ?
> thanx for your help
> Gregory
>
_________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.
Previous By Date Next
Previous By Thread Next

Current thread: