Mbedthis AppWeb URL协议格式串处理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113127 漏洞类型 格式化字符串
发布时间 2007-06-12 更新时间 2007-06-13
CVE编号 CVE-2007-3009 CNNVD-ID CNNVD-200706-031
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/30187
https://www.securityfocus.com/bid/24454
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-031
|漏洞详情
MbedthisSoftwareAppWeb是一款HTTP服务程序。AppWeb在处理URL的协议部分时存在格式串错误,远程攻击者可能利用此漏洞导致拒绝服务。在MprLogToFile::logEvent()函数中,如果没有定义实际的文件描述符,就会将一些错误记录到STDERR,执行以下调用:=======startcode============if(logFd<0&&level<=1){////Alwaysoutputfatalanderrormessages//mprFprintf(MPR_STDERR,buf);return;}//OPT--couldgetlengthabovewrite(logFd,buf,strlen(buf));=========endcode==========如果用户提交的GET请求包含有特殊字符的话,如:"GET%n://localhost:80/index.htmlHTTP/1.1..Host:172.19.15.11..User-Agent:Securitytest..Content-Length:0..Cache-Control:no-cache....\r\n\r\n""GET%s%s://localhost:80/index.htmlHTTP/1.1..Host:172.19.15.11..User-Agent:Securitytest..Content-Length:0..Cache-Control:no-cache....\r\n\r\n""GET%d://localhost:80/index.htmlHTTP/1.1..Host:172.19.15.11..User-Agent:Securitytest..Content-Length:0..Cache-Control:no-cache....\r\n\r\n"服务器无法找到这样的页面,于是试图向stderr写入错误消息。当将上述字符串做为buf参数传送给mprFprintf时,mprFprintf(更具体来讲是mprSprintfCore)试图将%s(或%d、%s)匹配到列表的参数,但列表中根本就不存在参数,这就导致出现分段错误,守护程序会崩溃。成功利用这个漏洞要求启用了日志功能但appweb.conf中没有ErrorLog指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/24454/info

Mbedthis AppWeb is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.

This issue affects only applications that were built with logging enabled and installed with no "ErrorLog" directive in 'appweb.conf'.

Successful exploits may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.

AppWeb 2.2.2 is reported vulnerable; other versions may also be affected.

'GET %n://localhost:80/" request'
|受影响的产品
Embedthis Software Appweb 2.2.2
|参考资料

来源:MISC
链接:http://www.appwebserver.org/forum/viewtopic.php?t=969
来源:BID
名称:24454
链接:http://www.securityfocus.com/bid/24454
来源:OSVDB
名称:35510
链接:http://www.osvdb.org/35510
来源:VUPEN
名称:ADV-2007-2159
链接:http://www.frsirt.com/english/advisories/2007/2159
来源:SECUNIA
名称:25641
链接:http://secunia.com/advisories/25641