Bug#247926: apache: Apache - htdigest local buffer overflow attack.
Package: apache
Version: 1.3.29.0.2-7
Severity: normal
Whilst looking over the source to Apache I noticed that the helper
program 'htdigest' doesn't sanity test it's arguments.
This allows a local buffer overflow attack.
In itself this is nothing interesting as the binary isn't setuid/setgid,
however I could imagine it being used this way in a CGI script, allowing
badness to happen.
(Yes this would be a flaw in the CGI script, not Apache, but it is
a trivial preventable bug regardless).
I see this issue was made public in Oct 2002, so I'm going to report it
here for a possible fix upstream. The mention I found is on bugtraq
here:
http://www.securityfocus.com/bid/5993/info/
Here's a demo of the flaw:
skx@undecided:~$ htdigest -c s `perl -e 'print "k"x3333'` x
Adding password for x in realm kkkkkkkkkkkkkkkkkkkkkkkkk.. snip
New password:
Re-type new password:
Segmentation fault (core dumped)
skx@undecided:~$
skx@undecided:~$ gdb htdigest core
(gdb) info registers
eax 0xa 10
...
eip 0x6b6b6b6b 0x6b6b6b6b
...
The patch below fixes this issue.
Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/
--- htdigest.c-orig 2004-05-08 01:12:14.000000000 +0100
+++ htdigest.c 2004-05-08 01:14:29.000000000 +0100
@@ -166,7 +166,8 @@
fprintf(f, "%s:%s:", user, realm);
/* Do MD5 stuff */
- sprintf(string, "%s:%s:%s", user, realm, pw);
+ memset(string, '\0',sizeof(string));
+ snprintf(string, sizeof(string)-1, "%s:%s:%s", user, realm, pw);
ap_MD5Init(&context);
ap_MD5Update(&context, (unsigned char *) string, strlen(string));
@@ -283,11 +284,13 @@
}
fclose(f);
fclose(tfp);
+
+ memset(command,'\0', sizeof(command));
#ifndef NETWARE
#if defined(OS2) || defined(WIN32)
- sprintf(command, "copy \"%s\" \"%s\"", tn, argv[1]);
+ snprintf(command, sizeof(command)-1, "copy \"%s\" \"%s\"", tn, argv[1]);
#else
- sprintf(command, "cp %s %s", tn, argv[1]);
+ snprintf(command, sizeof(command)-1, "cp %s %s", tn, argv[1]);
#endif
system(command);
#else
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21-4-k7
Locale: LANG=C, LC_CTYPE=en_US.UTF-8
Versions of packages apache depends on:
ii apache-common 1.3.29.0.2-7 Support files for all Apache webse
ii debconf 1.4.25 Debian configuration management sy
ii dpkg 1.10.21 Package maintenance system for Deb
pi libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
pi libdb4.2 4.2.52-16 Berkeley v4.2 Database Libraries [
pi libexpat1 1.95.6-8 XML parsing C library - runtime li
ii libmagic1 4.07-2ssp File type determination library us
ii libpam0g 0.76-21 Pluggable Authentication Modules l
ii logrotate 3.6.5-2 Log rotation utility
ii mime-support 3.26-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.4-1 Larry Wall's Practical Extraction
-- debconf information:
apache/server-name: localhost
apache/document-root: /var/www
apache/server-port: 80
* apache/enable-suexec: false
apache/init: true
apache/server-admin: you@your.address
Reply to: