|
Vulnerability wwwwais.c Affected wwwwais v25 Description 'auto122896' found following. wwwwais.c is a CGI-based application that provides a frontend to several WAIS query tools. 'auto122896' was unable to locate the main distribution site for it, but source code can be found at the following locations: http://www.spawar.navy.mil/planet_earth/free/wwwwais/ http://sunsite.bilkent.edu.tr/pub/infosystems/wwwwais/ http://xenia.sote.hu/ftp/www/tools/index/wwwwais/ http://www.doc.mmu.ac.uk/DEVELOPMENT/scripts/ http://yardim.bilkent.edu.tr/WWW/wwwwais/ http://wwwmaths.anu.edu.au/atc/wwwwais/ This discussion applies to wwwwais.25.c, which appears to be the latest version. (1) The attacker uses the GET method, causing execution of the following code: 136 static char query_string[MAXSTRLEN], [...] 196 else if (!strncmp(method, "GET", 3)) { 197 query = (char *) getenv("QUERY_STRING"); 198 if (query == NULL) 199 query_string[0] = '\0'; 200 else 201 strcpy(query_string, query); query_string is a character array allocated in the BSS segment. Its size is MAXSTRLEN, which translates to 1024. The POST method won't work for this overflow because a guard variable is used to process it. 211 version = ((getvalue(VERSIONTXT, ""))[0] == '\0') ? 0 : 1; As can be seen, getvalue() is invoked immediately afterwards. (2) The attacker prepends "version=666&" to QUERY_STRING in order to force execution of the strcpy at line 351 in the following code: 335 { 336 int i; 337 char *c, *argp, argstr[MAXSTRLEN]; 338 static char value[MAXSTRLEN], tmpstr[MAXSTRLEN]; 339 340 if (query_string[0] == '\0' || !lstrstr(query_string, var)) { 341 argp = (char *) getenv("PATH_INFO"); 342 if (argp == NULL || !lstrstr(argp, var)) { 343 if (strlen(def) <= 1) 344 return "\0"; 345 strcpy(tmpstr, decode(def)); 346 return tmpstr; 347 } 348 strcpy(argstr, argp); 349 } 350 else 351 strcpy(argstr, query_string); 352 353 for (i = 0, c = (char *) lstrstr(argstr, var) + 354 strlen(var); *c && i < MAXSTRLEN && *c != '&'; c++) 355 value[i++] = *c; 356 value[i] = '\0'; 357 358 if (i) { 359 strcpy(tmpstr, decode(value)); 360 return tmpstr; 361 } argstr is allocated on the stack; therefore the attacker can overwrite the activation record by crafting QUERY_STRING appropriately. The attacker will most likely gain access to the system running the vulnerable application, with privileges equivalent to those belonging to the webserver process. However, most attackers will use fork-bomb shellcode that could bring your server to a complete standstill. It is estimated that 200-300 sites are vulnerable to this overflow. It's probable that there are many other vulnerabilities existing in wwwwais.c, but the one mentioned above is by far the easiest to exploit. Solution Workaround: `rm -f wwwwais*`