BugTraq
local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 29 2004 05:56PM
Larry Cashdollar (lwc vapid ath cx) (3 replies)
This was posted on the full-disclosure list sept 16 2004 by
Luiz Fernando.

http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html

The nessus check for this vulnerability recommends upgrading to
Apache version 1.3.32:

http://cgi.nessus.org/plugins/dump.php3?id=14771

But in Apache 1.3.33:

lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
strcpy(record, user);
strcpy(pwfilename, argv[i]);
strcpy(user, argv[i + 1]);
strcpy(password, argv[i + 2]);
strcpy(scratch, line);

It is still vulnerable.

I patched my version that seemed to thwart the exploit offered by
Luiz. Here is the diff:

root@bokchoy:~/tes/apache_1.3.33/src/support# diff -uN htpasswd.orig.c
htpasswd.c
--- htpasswd.orig.c 2004-10-28 18:20:13.000000000 -0400
+++ htpasswd.c 2004-10-28 18:17:25.000000000 -0400
@@ -202,9 +202,9 @@
ap_cpystrn(record, "resultant record too long", (rlen - 1));
return ERR_OVERFLOW;
}
- strcpy(record, user);
+ strncpy(record, user,MAX_STRING_LEN - 1);
strcat(record, ":");
- strcat(record, cpw);
+ strncat(record, cpw,MAX_STRING_LEN - 1);
return 0;
}

@@ -410,14 +410,14 @@
fprintf(stderr, "%s: filename too long\n", argv[0]);
return ERR_OVERFLOW;
}
- strcpy(pwfilename, argv[i]);
+ strncpy(pwfilename, argv[i], MAX_STRING_LEN-1);
if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
(unsigned long)(sizeof(user) - 1));
return ERR_OVERFLOW;
}
}
- strcpy(user, argv[i + 1]);
+ strncpy(user, argv[i + 1],MAX_STRING_LEN-1);
if ((arg = strchr(user, ':')) != NULL) {
fprintf(stderr, "%s: username contains illegal character
'%c'\n",
argv[0], *arg);
@@ -429,7 +429,7 @@
(unsigned long)(sizeof(password) - 1));
return ERR_OVERFLOW;
}
- strcpy(password, argv[i + 2]);
+ strncpy(password, argv[i + 2],MAX_STRING_LEN - 1 );
}

#ifdef WIN32
@@ -553,7 +553,7 @@
putline(ftemp, line);
continue;
}
- strcpy(scratch, line);
+ strncpy(scratch, line,MAX_STRING_LEN -1);
/*
* See if this is our user.
*/

Larry W. Cashdollar
http://vapid.ath.cx

[ reply ]
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Nov 01 2004 03:55PM
Henning Brauer (henning openbsd org)
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 29 2004 09:53PM
André Malo (nd perlig de) (1 replies)
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 30 2004 06:39AM
Anton R Ivanov (arivanov sigsegv cx)
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Oct 29 2004 09:34PM
Michael Engert (michi bello engert org)


 

Privacy Statement
Copyright 2010, SecurityFocus