Bugtraq mailing list archives
Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?
From: Anton R Ivanov <arivanov () sigsegv cx>
Date: Sat, 30 Oct 2004 07:39:48 +0100
Hi list, hi Andre, Agree wholeheartedly. We saw this as far back as 1998 and ignored it for the exact same reason. I bet we were not the only ones. At the time It took me around half an hour to write a replacement user-add/password change CGI in perl. htpasswd was never intended to be run setuid or from scripts. Anyone who have tried doing so without subjecting it to an audit gets whatever they deserve. You have to understand what you are doing before whacking an arbitrary program with the +s bit. A. On Friday 29 October 2004 22:53, André Malo wrote:
* Larry Cashdollar <lwc () vapid ath cx> wrote:This was posted on the full-disclosure list sept 16 2004 by Luiz Fernando. http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html The nessus check for this vulnerability recommends upgrading to Apache version 1.3.32: http://cgi.nessus.org/plugins/dump.php3?id=14771 But in Apache 1.3.33: lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c strcpy(record, user); strcpy(pwfilename, argv[i]); strcpy(user, argv[i + 1]); strcpy(password, argv[i + 2]); strcpy(scratch, line); It is still vulnerable.If you start htpasswd from a shell and you exploit some kind of buffer overflow, you get ... a shell?. Wow! Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and commonsense tell, that the program is just not designed for such an intention. Or in other words, take any program that's not designed for being run setuid and you'll find a "vulnerability" (e.g. with malloc debug environment variables or the like). Sorry, I can't see a security vulnerability here. nd
Current thread:
- Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Anton R Ivanov (Nov 01)
- <Possible follow-ups>
- Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33? Henning Brauer (Nov 02)