|
/* qitest1's security advisory #002
*/
Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)
+Systems Affected
Any system running GazTek HTTP Daemon v1.4 (ghttpd)
+Program Description
ghttpd is a small and easy to configure HTTP server with CGI
support,
tested on Linux. It can run as a standalone daemon or can be
called
by inetd. It has been written by Gareth Owen
<gaz@athene.co.uk>,
http://members.xoom.com/gaztek.
+Vulnerability And Impact
A remote attacker can overflow a buffer and execute arbitrary
code
on the system with the privileges of the user running ghttpd,
that
is nobody, as all the privileges are dropped out.
Infact in util.c at line 219 we have:
va_start(ap, format); // format it all into temp
vsprintf(temp, format, ap);
va_end(ap);
+Solution
The author was contacted but he did not answered. Apply a patch
to
the source code of the daemon or remove it from your system.
+Exploit
This bug can be succesfully exploited by a remote attacker.
There is
a demonstrative exploit code attached to this advisory. See the
code
for more info.
--
/* qitest1 http://qitest1.cjb.net *
* ``Ut tensio, sic vis. 69 tecum sis.'' *
* main(){if(unsatisfied == 69) try_come(in);} */
|
