BugTraq
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability Apr 28 2006 07:22AM
the_day echo or id
------------------------------------------------------------------------
---------------

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

------------------------------------------------------------------------
---------------

Author : Dedi Dwianto

Date : April, 28th 2006

Location : Indonesia, Jakarta

Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt

Critical Lvl : High

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Sws Web Server

version : < 0.1.7

URL : http://www.linuxprogramlama.com/

Description :

SWS is web server for static web pages.

SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.

------------------------------------------------------------------------
---

Vulnerability:

~~~~~~~~~~~~~~~~

A format string vulnerability in Sws Web Server allows remote attackers to cause the

program to execute arbitrary.

The format string vulnerability and buffer overflow can be found in

sws_web_server.c ayardosyasi.h file:

------------------ ayardosyasi.h ------------------------

...........

char homedizini[50];

char defaultsayfa[50];

char hatasayfasi[100];

...........

void open_log_file (void)

{

....

syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot opened. ");

exit (1);

...........

------------------ sws_web_server.c------------------------

cp = buf + 5;

...........

if (buf[strlen (buf) - 1] == '/')

{

strcpy (cp, defaultsayfa);

strcpy (home, homedizini);

strcat (home, cp);

.............

syslog(LOG_INFO, "Application finished.");

free(recvBuffer);

exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.

Several potential format string and bufferoverflow vulnerabilities have been found.

The problems likely exist due to user-supplied data being passed

as the format specifier argument to a function in the syslog function.

It may be possible for a remote attacker to cause process memory to be

overwritten by supplying certain format specifiers, enabling the attacker

to cause the execution of supplied shellcode.

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id

Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus