TUCoPS :: Web :: Servers :: b06-1914.htm

Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability



---------------------------------------------------------------------------------------=0D
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability=0D
---------------------------------------------------------------------------------------=0D
=0D
Author       : Dedi Dwianto=0D
Date         : April, 28th 2006=0D
Location     : Indonesia, Jakarta=0D
Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt=0D 
Critical Lvl : High=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
=0D
Application : Sws Web Server=0D
version     : < 0.1.7=0D
URL : http://www.linuxprogramlama.com/=0D 
Description :=0D
=0D
SWS is web server for static web pages. =0D
SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~~~~=0D
A format string vulnerability in Sws Web Server allows remote attackers to cause the=0D
program to execute arbitrary. =0D
The format string vulnerability and buffer overflow can be found in =0D
sws_web_server.c ayardosyasi.h file: =0D
=0D
------------------ ayardosyasi.h ------------------------=0D
=0D
		...........=0D
		char homedizini[50];            =0D
		char defaultsayfa[50];          =0D
		char hatasayfasi[100];=0D
		...........=0D
		void open_log_file (void)=0D
		{=0D
		....=0D
		syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot 	opened. ");=0D
		exit (1);=0D
		...........=0D
		=0D
------------------ sws_web_server.c------------------------=0D
		=0D
		cp = buf + 5;=0D
                ...........=0D
                if (buf[strlen (buf) - 1] == '/')=0D
    		{=0D
		      strcpy (cp, defaultsayfa);=0D
		      strcpy (home, homedizini);=0D
		      strcat (home, cp);=0D
                .............=0D
		syslog(LOG_INFO, "Application finished.");=0D
		  free(recvBuffer);=0D
		  exit (1);=0D
=0D
-----------------------------------------------------------=0D
=0D
strcpy can cause a buffer overflow in cp because it does not do bounds checking.=0D
Several potential format string and bufferoverflow vulnerabilities have been found.=0D
The problems likely exist due to user-supplied data being passed=0D
as the format specifier argument to a function in the syslog function.=0D
It may be possible for a remote attacker to cause process memory to be=0D
overwritten by supplying certain format specifiers, enabling the attacker=0D
to cause the execution of supplied shellcode.=0D
=0D
---------------------------------------------------------------------------=0D
Shoutz:=0D
~~~~~~~=0D
=0D
~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous=0D
~ newbie_hacker@yahoogroups.com=0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~~~~=0D
=0D
     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id=0D
Homepage: http://theday.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH