BugTraq
Multiple vulnerabilities in Pico Server (pServ) v3.3 Jun 11 2005 05:03PM
Raphaël Rigo ML (ml twilight-hall net)
Multiple vulnerabilities in Pico Server (pServ) v3.3

discovered by Raphaël Rigo

Product: Pico Server (pServ)
Affected Version: 3.3 (verified), <=3.3 probably too
Not affected Version: 3.4
OS affected: all
Risk: critical
Remote Exploit: yes
URL: http://pserv.sourceforge.net/

Overview
========

Pico Server is a small web server. It is meant to be portable and configurable.
* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyser)
* forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behaviour, the performance and the feature set so
to be able to fit better the the requisites.

Vulnerabilities
===============

1) Directory traversal

A bug in the directory parsing code allows the attacker to access any
directory the server has the right to access.

Details :
pServ computes the depth of the directory the user tries to access in the
variable named depthCount. This counts is decreased when a /../ is
encountered, unfortunately, it is also increased when /./ is
encountered, allowing the attacker to use a /./ for each /../ to make
sure depthCount is not negative.

Risk : HIGH
The attacker may gain important information about the system that could
lead to other attacks.

Proof of concept :
access : http://www.example.com/./../

Workaround :
There is no workaround for this vulnerability.

Solution :
Update to v3.4

-----------------------------------------------------------------------

2) Remote command execution

The directory traversal vulnerability described above also enables
remote command execution. This may help an attacker to compromise the
server.

Details :
pServ considers every request beginning with /cgi-bin/ as a script
execution.

Risk : CRITICAL
The attacker may use this vulnerability to destroy data or for other
attacks (i.e. use wget to download root exploits).

Proof of concept :
access : http://www.example.com/cgi-bin/./.././../usr/bin/ls

Workaround :
Disable cgi-bin support at compile time.

Solution :
Update to v3.4

-----------------------------------------------------------------------

3) Multiple heap overflows in cgi execution

The lack of bounds checking for cgi arguments allows an attacker to
overflow the allocated memory, possibly allowing for remote code
execution.

Details :
Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux)
but the attacker is only limited by the maximum request length (2048).
The malloc'ed buffer can therefore be overflowed.

Risk : HIGH
Successful exploitation can lead to arbitrary code execution.

Workaround :
Disable cgi-bin support at compile time.

Solution :
Update to v3.4

-----------------------------------------------------------------------

Timeline
========
2005-05-18 Discovery
2005-05-19 First attempt to contact developer
2005-05-21 Second attempt
2005-05-22 Developer reply
2005-06-11 Fixed version 3.4 released and advisory published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus