Overflow in cgiwrap-3.5 and 3.6beta1

Summary
Description:Standard overflow
Author:Duncan Simpson <dps@IO.STARGATE.CO.UK>
Compromise:Run arbitrary commants with the UID of the webserver process owner
Vulnerable Systems:Those running vulnerable versions of cgiwrap
Date:7 December 1997
Details


Date: Sun, 7 Dec 1997 00:23:15 GMT
From: Duncan Simpson <dps@IO.STARGATE.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: cgiwrap-3.5 (and 3.6beta1,              avialiblty of which is not known) buffer overrun

Hi, I have been hacking cgiwrap-3.5 for my own purposes. Anyway I spotted
a code fragmen that allocated a static buffer and printed an arbitary
lenght string in it. Exploits probably require one to create a file with
the name contiaining shellcode but that should not be a serious problem (/
means new dir and \0 does not happen).

Here is a patch:
diff -ur cgiwrap-3.6beta1/util.c cgiwrap-3.6beta1-fixed/util.c
--- cgiwrap-3.6beta1/util.c     Tue Nov 18 04:51:05 1997
+++ cgiwrap-3.6beta1-fixed/util.c       Sun Dec  7 00:15:27 1997
@@ -282,7 +282,7 @@

        if (!(fileStat.st_mode & S_IXUSR))
        {
-               sprintf(tempErrString, "Script is not executable. Issue chmod 755 %s", scriptPath);
+               snprintf(tempErrString, 254, "Script is not executable. Issue chmod 755 %s", scriptPath);
                MSG_Error_ExecutionNotPermitted(tempErrString);
        }

which should apply cleaning to 3.5 as well. (The patch is against 3.6beta1
as you can see). The maintainer has been informed.

Duncan (-:

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]