Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:98
HistoryApr 22, 2000 - 12:00 a.m.

htimage info -- may apply to unix as well

2000-04-2200:00:00
vulners.com
59

I've spent some time looking at the htimage issue reported by
[email protected], and have some additional info.

First, the htimage.exe that comes with FrontPage appears to be a
simple port of HTImage.c from the w3c-httpd distribution. You can
view the source code at
http://www.w3.org/Daemon/Implementation/HTImage.c. Naturally, this
implies that the problems in htimage.exe may apply equally to unix
servers with an htimage in their cgi-bin. Doing a search on altavista
for cgi-bin/htimage provides plenty of hits, so it's definitely out
there.

Looking at the source code, there are several potential problems:

o a buffer overflow of msg[1024] due to strcat-ing the user
supplied argument for an error message.

o a buffer overflow of lex_str[] if the imagemap file contains a large
enough (<256 char) lexeme.

o it will try to open and read files outside the webroot

o it will give away the location of the webroot

o it doesn't escape any of the user's input when it sends it back in
an error message. This opens cross-site scripting possibilities.

I built the source on RH Linux 6.0, and tried it with apache 1.3.6. I
also tried the FrontPage htimage.exe on NT4 with IIS4. I wasn't able
to exploit either overflow on NT or linux. This appears to be just
dumb luck, however. As Thomas Dullien <[email protected]> pointed out,
the overflowing strcats are immediately followed by a function call
which ends by calling exit(), so the overrun stack is never returned
to. In the case of lex_str[], it happens (at least on linux) that its
buffer is positioned at virtually the very end of the .bss section
(only the other lex_* vars follow it), so you can't get much there
either.

Of course, things may be different on other platforms, and I may have
missed something, so it would still be wise to check your
installations for htimage (or htimage.exe) and take the appropriate
steps.

Solutions

In the Apache universe, htimage seems to be in relative disuse. I
tried to contact the author of HTImage.c, Ari Luotonen
<[email protected]> according to the source, but mail bounces.
Apache now comes with mod_imap for handling imagemaps, so it would
probably be best to switch to using that instead of htimage. If you
must continue with htimage, the following patch should fix the bugs
listed above. There may well be other problems, though. Caveat
emptor.

If you're using htimage.exe, wait for MS's response, or you may
try compiling your own htimage.exe.

Thanks to the RAZOR team, esp. Simple Nomad for assistance with
this note.

Todd

diff -u HTImage.c.orig HTImage.c
— HTImage.c.orig Thu Apr 20 16:34:08 2000
+++ HTImage.c Thu Apr 20 16:44:26 2000
@@ -226,8 +226,10 @@
break;

      default:
  •       lex_str[lex_cnt++] = ch;
    
  •       lex_str[lex_cnt] = &#40;char&#41;0;
    
  •        if &#40;lex_cnt &lt; &#40;sizeof &#40;lex_str&#41; - 1&#41;&#41; {
    
  •          lex_str[lex_cnt++] = ch;
    
  •          lex_str[lex_cnt] = &#40;char&#41;0;
    
  •        }
      } /* switch ch */
    
    } /* forever */
    }
    @@ -733,26 +735,8 @@
    }
    if (!fp && path_translated)
    fp = fopen(path_translated, "r");
  • if (!fp && path_info)
  •   fp = fopen&#40;path_info, &quot;r&quot;&#41;;
    
    if (!fp) {
  •   char msg[1024];
    
  •   sprintf&#40;msg,
    
  •   &quot;Picture config file not found, tried the following:&lt;UL&gt;&quot;&#41;;
    
  •   if &#40;config_file1&#41; {
    
  •       strcat&#40;msg, &quot;&#92;n&lt;LI&gt; &quot;&#41;; strcat&#40;msg, config_file1&#41;;
    
  •   }
    
  •   if &#40;config_file2&#41; {
    
  •       strcat&#40;msg, &quot;&#92;n&lt;LI&gt; &quot;&#41;; strcat&#40;msg, config_file2&#41;;
    
  •   }
    
  •   if &#40;path_translated&#41; {
    
  •       strcat&#40;msg, &quot;&#92;n&lt;LI&gt; &quot;&#41;; strcat&#40;msg, path_translated&#41;;
    
  •   }
    
  •   if &#40;path_info&#41; {
    
  •       strcat&#40;msg, &quot;&#92;n&lt;LI&gt; &quot;&#41;; strcat&#40;msg, path_info&#41;;
    
  •   }
    
  •   strcat&#40;msg, &quot;&#92;n&lt;/UL&gt;&#92;n&quot;&#41;;
    
  •   fatal&#40;msg&#41;;
    
  •   fatal&#40;&quot;Picture config file not found&#92;n&quot;&#41;;
    

    }

    pict = parse_picture(fp);