<<< Date Index >>>     <<< Thread Index >>>

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability



---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String 
Vulnerability
---------------------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 28th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Sws Web Server
version     : < 0.1.7
URL         : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages. 
SWS is very simple and fast. It's written in GCC and you can distribute with 
GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to 
cause the
program to execute arbitrary. 
The format string vulnerability and buffer overflow can be found in 
sws_web_server.c ayardosyasi.h file: 

------------------ ayardosyasi.h ------------------------

                ...........
                char homedizini[50];            
                char defaultsayfa[50];          
                char hatasayfasi[100];
                ...........
                void open_log_file (void)
                {
                ....
                syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og 
files cannot     opened. ");
                exit (1);
                ...........
                
------------------ sws_web_server.c------------------------
                
                cp = buf + 5;
                ...........
                if (buf[strlen (buf) - 1] == '/')
                {
                      strcpy (cp, defaultsayfa);
                      strcpy (home, homedizini);
                      strcat (home, cp);
                .............
                syslog(LOG_INFO, "Application finished.");
                  free(recvBuffer);
                  exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been 
found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------