what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

imgsvr-overflow.txt

imgsvr-overflow.txt
Posted Jul 11, 2007
Authored by mu-b, Tim Brown | Site portcullis-security.com

ImgSvr suffers from a stack overflow vulnerability.

tags | advisory, overflow
SHA-256 | 565d22b95eca8b9f9bc666c22a941d4f22918caf966cb2431c62ee0ee7aa6b51

imgsvr-overflow.txt

Change Mirror Download
Portcullis Security Advisory 06-058


Vulnerable System:

ImgSvr.


Vulnerability Title:

The ImgSvr is vulnerable to a stack overflow.


Vulnerability discovery and development:

Portcullis Security Testing Services. Further research was then carried out by Tim Brown and
Neil Kettle.


Credit for Discovery:

Tim Brown and Neil Kettle of Portcullis Computer Security Ltd.


Affected systems:

All known versions of ImgSvr.


Details:

Following the Bugtraq posting "imgsvr dos exploit by n00b" which described a
remote Denial of Service of the Windows version of ImgSvr, research was carried out which
indicated that the Linux version was also vulnerable to the same attack
although, significantly more input was required.

Through further research, it was then identified that the same remote Denial of
Service could also be caused by passing a large value to the template parameter as
follows:

GET /?template=<large value> HTTP/1.0

In both cases this led to ImgSvr failing within the internal ADA function
system__file_io__open. Due to the way the Linux implementation of the GNU ADA
compiler works to protect against stack overflows, a secondary stack of $ebp,
$eip and $esp is maintained above the primary stack. When our request causes
system__file_io__open to fail, an exception is caught by the exception handler
which uses the values of the secondary stack in an attempt to handle the
exception in a graceful manner. However, because we have smashed through into
the $ebp and $eip values on the secondary stack, we can influence further code
execution.

Impact:

An attacker could cause a Denial of Service or execute arbitrary code.
In addition, it is believed that variants of this vulnerability may exist in
other products. ImgSvr uses AWS, a generic web server implemented in ADA
which is likely to have been used in other products. In addition, the flaw
in the secondary stack implementation can be attributed to the GNU ADA compiler
and is not unique to ImgSvr.

Exploit:

The proof of concept exploit code is available.

Vendor Status:

Contacted frett27@userssourceforge.net and p.orbry@wanadoo.fr


e-mailed - 16th January 2007
e-mailed - 22nd January 2007
e-mailed - 14th February 2007
e-mailed - 15th March 2007

Copyright:

Copyright © Portcullis Computer Security Limited 2005, All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
information. It is not to be edited or altered in any way without the express
written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties, implied or otherwise, with regard to this information or its
use. Any use of this information is at the user's risk. In no event shall the
author/distributor (Portcullis Computer Security Limited) be held liable for
any damages whatsoever arising out of or in connection with the use or spread
of this information.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close