Bugtraq mailing list archives
Buffer overflow in www.boutell.com cgic library
From: jon () OAKTREE CO UK (Jon Ribbens)
Date: Sun, 10 Jan 1999 16:55:04 +0000
--uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Thomas Boutell's cgic library (version 1.05) has a buffer overflow in cgiFormEntryString() which is almost certainly exploitable. (Although it obviously depends on the program that has linked with cgic.) The fault is because he is checking if 'len =3D=3D avail' before examining = each input character, but if the character is not CR or LF then 'len' is not checked after outputting the LFs but before outputting the character. (i.e. it checks that there is 1 byte free in the buffer, but then it can sometimes place 2 bytes in the buffer before checking again.) i.e. if 'avail' is 'n' and the 'n-1'th character is LF or CR and the 'n'th character is *not* LF or CR then the character will be written at the end of the buffer (because avail =3D=3D sizeofbuffer-1), and then len =3D avail= + 1. Since he always checks for 'len =3D=3D avail' rather than 'len >=3D avail',= this means the overflow detection never kicks in, and the routine keeps copying until the end of the input. The attacker is free to copy whatever data they desire into the memory above the buffer. As an example, the cgictest program can be segfaulted by: $ REQUEST_METHOD=3DGET QUERY_STRING=3D'address=3D<240 x letter 'A'>%0A<1000= x letter 'A'>' ./cgictest Content-type: text/html <HTML><HEAD> <TITLE>cgic test</TITLE></HEAD> <BODY><H1>cgic test</H1> Name: Address: <lots of letter A's> Segmentation fault (core dumped) Oh, one other point is that the 'cgiSaferSystem' function appears to be seriously misguided. It is merely escaping the '|' and ';' characters, which is of course totally inadequate. I notified Thomas Boutell of this on 12th November 1998, he responded the same day thanking me for the report, but the version being distributed on www.boutell.com is still the buggy version. (As an aside, I think it is safe to use Perl's quotemeta function before sending a string to a shell. It puts a backslash before all characters except [A-Za-z0-9_]. Am I right or wrong? ;-) ) Cheers Jon --=20 \/ Jon Ribbens / jon () oaktree co uk --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBNpjbaIMzEl4yn7LtAQELiAQAvlywB18Z2x5RFeFnEqi/eqRJMozquxA3 gg661kfoAloO1hJ5p2fTUR/ITCXd1DcveZ7IhYxNEZ/Amw/f0vS0eSPKPqHXcA+s 7xnNYJDnGpE9ZbyUJiE8Gtc2HpEMRsgTaA1J8XjKjy916JFy0JqtM6RA97f8okiH 3L3fMDuDJ5U= =wfku -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--
Current thread:
- Re: Checking for most recent Solaris Security Patches, (continued)
- Re: Checking for most recent Solaris Security Patches Paul Brunk (Jan 08)
- Re: Checking for most recent Solaris Security Patches John D Groenveld (Jan 08)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 12)
- Re: Checking for most recent Solaris Security Patches Linux Mailing Lists (Jan 13)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 15)
- Lotus Notes SMTP Server bug Siva Sankar Adiraju (Jan 15)
- Re: Checking for most recent Solaris Security Patches //Stany (Jan 15)
- Re: Anonymous Qmail Denial of Service Perry E. Metzger (Jan 08)
- White Paper Annoucement NSS FIST (Jan 09)
- Re: Anonymous Qmail Denial of Service Snob Art Genre (Jan 10)
- Buffer overflow in www.boutell.com cgic library Jon Ribbens (Jan 10)
- Sekure SDI Advisory: mSQL Remote Bug (fwd) Sekure SDI SSC (Jan 10)
- nmap udp scan kills Neware (ex-HDS) X-terminals. Andrew V. Kovalev (Jan 11)
- Re: nmap udp scan kills Neware (ex-HDS) X-terminals. Adam Shostack (Jan 12)
- Cisco Security Notice: Cisco IOS Syslog Crash security-alert () cisco com (Jan 11)
- Re: Tripwire mess.. Jon Torrez (Jan 05)
- Administrivia Aleph One (Jan 05)
- HTTP REQUEST_METHOD flaw mnemonix (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Marc Slemko (Jan 06)