|
|
|
|
| |
| A vulneability in tHTTPd allows remote attackers to overflow an internal buffer and partially overwrite EBP register and execute arbitrary code. |
| |
Credit:
The information has been provided by texonet.com.
|
| |
Vulnerable systems:
* tHTTPd version 2.21 up to version 2.23b1
Immune systems:
* tHTTPd version 2.24
The problem is found in libhttpd.c in the function defang()
static void defang( char* str, char* dfstr, int dfsize )
{
char* cp1;
char* cp2;
for ( cp1 = str, cp2 = dfstr;
*cp1 != '\0' && cp2 - dfstr < dfsize - 1;
++cp1, ++cp2 )
{
switch ( *cp1 )
{
case '<':
*cp2++ = '&';
*cp2++ = 'l';
*cp2++ = 't';
*cp2 = ';';
break;
case '>':
*cp2++ = '&';
*cp2++ = 'g';
*cp2++ = 't';
*cp2 = ';';
break;
default:
*cp2 = *cp1;
break;
}
}
*cp2 = '\0';
}
So when '<' or '>' are found in the input we "pay for 1 and get 3 for free", this allows us overwrite bits of EBP and indirectly control EIP (assuming its been compiled with gcc < 3.0).
Workaround:
Upgrade to version 2.24
Disclosure Timeline:
09/08/2003: Vendor notified by e-mail
09/12/2003: Vendor replies with working fix
10/27/2003: Public release
|
|
|
|
|
