Bugtraq mailing list archives
Buffer overflow in the query cgi.
From: apropos () sover net (Apropos of Nothing)
Date: Sat, 4 Jan 1997 23:29:00 -0500
The cgi script 'query' has a buffer overflow problem. Let's look at the code: typedef struct { char name[128]; char val[128]; } entry; ... main(int argc, char *argv[]) { entry entries[10000]; register int x,m=0; char *cl; cl = getenv("QUERY_STRING"); for(x=0;cl[0] != '\0';x++) { m=x; getword(entries[x].val,cl,'&'); plustospace(entries[x].val); unescape_url(entries[x].val); getword(entries[x].name,entries[x].val,'='); } And recall what Aleph1 pointed out about 'getword': void getword(char *word, char *line, char stop) { int x = 0,y; for(x=0;((line[x]) && (line[x] != stop));x++) word[x] = line[x]; word[x] = '\0'; if(line[x]) ++x; y=0; while(line[y++] = line[x++]); }
As you can see it does no bounds checking.
OK, so looking up at query.c again we see that it copies cl (the query string) into entries[x].val (a 128 byte char) with getword... and you know what that means! My buffer overflow skills aren't very good, so I'd like to see if anyone else can exploit this. It should be pretty easy since all you have to do is supply 128 bytes, then enough code to get up to the stack and overwrite it, all in the query string. apropos of nothing
Current thread:
- XDM bug Angel Ortiz (Jan 02)
- <Possible follow-ups>
- Re: XDM bug Steve \ (Jan 03)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Alex Belits (Jan 03)
- serious security bug in wu-ftpd v2.4 Aleph One (Jan 04)
- Re: serious security bug in wu-ftpd v2.4 Wietse Venema (Jan 04)
- Buffer overflow in the query cgi. Apropos of Nothing (Jan 04)
- Re: Buffer overflow in the query cgi. Thomas H. Ptacek (Jan 04)
- Re: XDM bug jamie (Jan 03)
- Re: XDM bug Mr. ManX (Jan 03)