[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String
Vulnerability
---------------------------------------------------------------------------------------
Author : Dedi Dwianto
Date : April, 28th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Sws Web Server
version : < 0.1.7
URL : http://www.linuxprogramlama.com/
Description :
SWS is web server for static web pages.
SWS is very simple and fast. It's written in GCC and you can distribute with
GPL license.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to
cause the
program to execute arbitrary.
The format string vulnerability and buffer overflow can be found in
sws_web_server.c ayardosyasi.h file:
------------------ ayardosyasi.h ------------------------
...........
char homedizini[50];
char defaultsayfa[50];
char hatasayfasi[100];
...........
void open_log_file (void)
{
....
syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og
files cannot opened. ");
exit (1);
...........
------------------ sws_web_server.c------------------------
cp = buf + 5;
...........
if (buf[strlen (buf) - 1] == '/')
{
strcpy (cp, defaultsayfa);
strcpy (home, homedizini);
strcat (home, cp);
.............
syslog(LOG_INFO, "Application finished.");
free(recvBuffer);
exit (1);
-----------------------------------------------------------
strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been
found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------