Bugtraq mailing list archives
Re: wwwcount remote exploit (@ Solaris)
From: Jan.Wedekind () DE UU NET (Jan Wedekind)
Date: Fri, 17 Oct 1997 11:19:14 +0200
Hello all, with Solaris (and all other systems which don't support setenv(2)) you have to use putenv(2) instead of setenv. The modified patch is applied below.
Program: Count.cgi (wwwcount), a popular CGI web counter Version: Tested on 2.3, others probably affected as well (?) OS: All Impact: a buffer can be overflowed in the Count.cgi program, allowing remote http users to execute arbitrary commands on the target machine. [...]
The actual fix is pretty simple. Apply the following patch to the file main.c. Environment variables will be cutted down to their first 600 chars. The idea of this patch can also be adapted for other purposes, mainly to develop a generic cgi-bin wraper.
Patch for Solaris and other OS with putenv(); also add -DHAVE_PUTENV in the Makefile of wwwcount 2.3: 58a59,80
void wrapit(char *envvar,int esize) { char *tmp,*tmp2; tmp=malloc(esize+strlen(envvar)+2); if(tmp==NULL) { Debug2("Can't allocate wrapper memory buffer.",0,0); exit(1); } #ifdef HAVE_PUTENV strcpy(tmp, envvar); strcat(tmp, "="); strncat(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1); tmp[strlen(envvar)+1+esize]='\0'; putenv(tmp); #else strncpy(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1); tmp[esize]='\0'; setenv(envvar,tmp,1); #endif }
89c111 < char ---
char
185a208,213
/* * avoid any buffer overflow problem by cutting some env variables */ wrapit("QUERY_STRING",600); wrapit("HTTP_REFERER",600); wrapit("HTTP_USER_AGENT",600);
Mit freundlichen Grüßen / best regards, UUNET Deutschland GmbH Jan Wedekind (Dipl.-Informatiker) Web Competence Center UUNET Deutschland GmbH Tel. +49 231 972 2280 Emil-Figge-Straße 80 Fax. +49 231 972 1180 44227 Dortmund, Germany Jan.Wedekind () de uu net URL: http://www.uunet.de
Current thread:
- `smurf' multi-broadcast icmp attack T. Freak (Oct 12)
- Re: `smurf' multi-broadcast icmp attack Craig A. Huegen (Oct 13)
- Re: `smurf' multi-broadcast icmp attack Ben (Oct 13)
- broadcast ip scanning script hyped (Oct 13)
- Re: `smurf' multi-broadcast icmp attack Therapy? (Oct 16)
- Re: `smurf' multi-broadcast icmp attack Jon Lewis (Oct 16)
- Update - Seattle Lab Slmail v2.5 for NT vulnerable David LeBlanc (Oct 16)
- wwwcount remote exploit Nicolas Dubee (Oct 16)
- Re: wwwcount remote exploit (@ Solaris) Jan Wedekind (Oct 17)
- Security Hole in Explorer 4.0 Aleph One (Oct 17)
- computer immunology VaX#n8 (Oct 17)
- Jabadoo Security Hack Aleph One (Oct 17)
- WinNT syscalls insecurity Solar Designer (Oct 19)
- Re: WinNT syscalls insecurity Roger Espel Llima (Oct 18)
- Run, RunOnce and Uninstall Registry Keys Vulnerability Aleph One (Oct 16)
- <Possible follow-ups>
- Re: `smurf' multi-broadcast icmp attack Brad Powell (Oct 16)