|
|
|
|
| |
| Pavuk is a package designed for mass document retrieval. Pavuk is scriptable, and supports several advanced features, including several classes of authentication. NTLM, Basic, and Digest, are among those supported. Pavuk's digest authentication routines contain buffer overflows when processing a malicious Digest authentication challenge. In particular, buffer overflows may occur when malicious nonce or realm values are specified. |
| |
Credit:
The information has been provided by Matt Murphy.
|
| |
By responding with an HTTP 401 (Unauthorized) status, and including a Digest challenge with large values in certain fields, the buffer overflow may occur. The issue is due to unsafe sprintf() calls within the Digest authentication handler.
Impact:
Successful exploitation of this vulnerability allows an attacker to cause Pavuk to fail or potentially execute arbitrary code if he/she can cause an access to a web URL designed to exploit this issue. Function parameter overwriting allows for bypass of stack protection technologies, such as ProPolice and StackGuard, rendering them ineffective against exploitation of this vulnerability.
In combination with certain web spider packages, any attacker who was able to cause a page to be indexed by a spider using Pavuk could exploit this vulnerability.
Matt has produced a simple PHP exploit designed to demonstrate this vulnerability:
<?php
$buffer = "";
for ($i = 0; $i < 1024; $i++) {
$buffer .= "A";
}
header("WWW-Authenticate: Digest realm=\"Secured by Digest Auth\"
opaque=\"opaque\" nonce=\"$buffer\"");
header("Status: 401 Not Authorized");
?>
Workarounds:
Successful exploitation of this vulnerability requires that Digest authentication be configured. In order to protect against this vulnerability, disable HTTP authentication within Pavuk.
Solution:
Pavuk development upstream appears to have stalled. However, Pavuk is present in the FreeBSD and OpenBSD ports collections, as well as being distributed by SuSE, Gentoo, and Debian. Release was coordinated for July 26.
SuSE has issued fixes, although Matt has been informed that SuSE does not plan to issue an independent advisory. Matt am unable to find documentation of updates to Debian's packages. Matt received no responses from FreeBSD and OpenBSD during the course of coordinating releases.
Disclosure Timeline:
* July 9: Vulnerability Reported to:
- Security@gentoo.org
- Security@suse.de
- Security@freebsd.org
- Security@debian.org
- Deraadt@openbsd.org
* July 9 (Two Hours Later): SuSE's Roman Drahtmueller responds
* July 9: Per SuSE request, issue forwarded to vendor-sec@lst.de
* July 19: Initial date set for release: July 27
* July 20: SuSE requests earlier release due to recent discoveries
* July 21: Release timeline set for July 26
* July 22: Release timeline relayed to Gentoo, FreeBSD, OpenBSD
* July 26: Gentoo releases GLSA-200407-19
* July 27: Advisory released
|
|
|
|
|
|
|
