[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#247926: apache: Apache - htdigest local buffer overflow attack.

Package: apache
Severity: normal

   Whilst looking over the source to Apache I noticed that the helper
 program 'htdigest' doesn't sanity test it's arguments.

  This allows a local buffer overflow attack.

  In itself this is nothing interesting as the binary isn't setuid/setgid,
 however I could imagine it being used this way in a CGI script, allowing
 badness to happen.

  (Yes this would be a flaw in the CGI script, not Apache, but it is
 a trivial preventable bug regardless).

  I see this issue was made public in Oct 2002, so I'm going to report it
 here for a possible fix upstream.  The mention I found is on bugtraq


  Here's a demo of the flaw:

skx@undecided:~$ htdigest -c s `perl -e 'print "k"x3333'` x
Adding password for x in realm kkkkkkkkkkkkkkkkkkkkkkkkk.. snip
New password: 
Re-type new password: 
Segmentation fault (core dumped)
skx@undecided:~$ gdb htdigest core
(gdb) info registers 
eax            0xa      10
eip            0x6b6b6b6b       0x6b6b6b6b

  The patch below fixes this issue.

# Debian Security Audit Project

--- htdigest.c-orig     2004-05-08 01:12:14.000000000 +0100
+++ htdigest.c  2004-05-08 01:14:29.000000000 +0100
@@ -166,7 +166,8 @@
     fprintf(f, "%s:%s:", user, realm);
     /* Do MD5 stuff */
-    sprintf(string, "%s:%s:%s", user, realm, pw);
+    memset(string, '\0',sizeof(string));
+    snprintf(string, sizeof(string)-1, "%s:%s:%s", user, realm, pw);
     ap_MD5Update(&context, (unsigned char *) string, strlen(string));
@@ -283,11 +284,13 @@
+    memset(command,'\0', sizeof(command));
 #ifndef NETWARE
 #if defined(OS2) || defined(WIN32)
-    sprintf(command, "copy \"%s\" \"%s\"", tn, argv[1]);
+    snprintf(command, sizeof(command)-1, "copy \"%s\" \"%s\"", tn, argv[1]);
-    sprintf(command, "cp %s %s", tn, argv[1]);
+    snprintf(command, sizeof(command)-1, "cp %s %s", tn, argv[1]);

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.21-4-k7
Locale: LANG=C, LC_CTYPE=en_US.UTF-8

Versions of packages apache depends on:
ii  apache-common      Support files for all Apache webse
ii  debconf                     1.4.25       Debian configuration management sy
ii  dpkg                        1.10.21      Package maintenance system for Deb
pi  libc6                       2.3.2.ds1-12 GNU C Library: Shared libraries an
pi  libdb4.2                    4.2.52-16    Berkeley v4.2 Database Libraries [
pi  libexpat1                   1.95.6-8     XML parsing C library - runtime li
ii  libmagic1                   4.07-2ssp    File type determination library us
ii  libpam0g                    0.76-21      Pluggable Authentication Modules l
ii  logrotate                   3.6.5-2      Log rotation utility
ii  mime-support                3.26-1       MIME files 'mime.types' & 'mailcap
ii  perl                        5.8.4-1      Larry Wall's Practical Extraction 

-- debconf information:
  apache/server-name: localhost
  apache/document-root: /var/www
  apache/server-port: 80
* apache/enable-suexec: false
  apache/init: true
  apache/server-admin: you@your.address

Reply to: