|
|
|
|
| |
Credit:
The information has been provided by Patroklos Argyroudis.
The original article can be found at: http://census-labs.com/news/2009/12/02/corehttp-web-server/
|
| |
Vulnerable Systems:
* CoreHTTP Web Server Versions 0.5.3.1and prior
CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46:
45: sscanf(parentsprock->buffer,
46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);
The buffers req and url are declared to be of size 256 bytes (PATHSIZE) and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers without NULL terminating them.
Note that this is not vulnerability CVE-2007-4060 in which the same sscanf() call contained no bounds check at all.
This vulnerability can lead to denial of service attacks against the CoreHTTP web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server. We have developed a proof-of-concept exploit to demonstrate the vulnerability:
http://census-labs.com/media/corex.txt
Patch Availability:
For the time being, one may use the following workaround to address this issue, until an official fix is released by the author:
http://census-labs.com/media/corehttp-0.5.3.1-patch.txt
CVE Information:
CVE-2009-3586
-------------------------------------------------------------------------------------------------------------------------------
This vulnerability and over 10,000 others are identified and reported by AVDS, the most technically sophisticated network vulnerability assessment and management system available.
*
|
|
|
|
|
