Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053269 漏洞类型
发布时间 2006-05-02 更新时间 2006-05-02
CVE编号 CVE-2006-2115
CVE-2006-2114
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050013
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
------------------------------------------------------------------------
---------------

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

------------------------------------------------------------------------
---------------

Author       : Dedi Dwianto

Date         : April, 28th 2006

Location     : Indonesia, Jakarta

Web          : http://advisories.echo.or.id/adv/adv31-theday-2006.txt

Critical Lvl : High

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Sws Web Server

version     : < 0.1.7

URL         : http://www.linuxprogramlama.com/

Description :

SWS is web server for static web pages.

SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.

------------------------------------------------------------------------
---

Vulnerability:

~~~~~~~~~~~~~~~~

A format string vulnerability in Sws Web Server allows remote attackers to cause the

program to execute arbitrary.

The format string vulnerability and buffer overflow can be found in

sws_web_server.c ayardosyasi.h file:

------------------ ayardosyasi.h ------------------------

...........

char homedizini[50];

char defaultsayfa[50];

char hatasayfasi[100];

...........

void open_log_file (void)

{

....

syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot 	opened. ");

exit (1);

...........

------------------ sws_web_server.c------------------------

cp = buf + 5;

...........

if (buf[strlen (buf) - 1] == '/')

{

strcpy (cp, defaultsayfa);

strcpy (home, homedizini);

strcat (home, cp);

.............

syslog(LOG_INFO, "Application finished.");

free(recvBuffer);

exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.

Several potential format string and bufferoverflow vulnerabilities have been found.

The problems likely exist due to user-supplied data being passed

as the format specifier argument to a function in the syslog function.

It may be possible for a remote attacker to cause process memory to be

overwritten by supplying certain format specifiers, enabling the attacker

to cause the execution of supplied shellcode.

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id

Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------