exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CoreHTTP 0.5.3.1 Buffer Overflow

CoreHTTP 0.5.3.1 Buffer Overflow
Posted Dec 7, 2009
Authored by Patroklos Argyroudis | Site census-labs.com

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46.

tags | advisory, web, overflow
advisories | CVE-2009-3586
SHA-256 | 7895bd2e72f372fafa55aa28a36ef0e28ef9cb2efb8c7b6720638cb0cee1feee

CoreHTTP 0.5.3.1 Buffer Overflow

Change Mirror Download
census ID:          census-2009-0003
URL: http://census-labs.com/news/2009/12/02/corehttp-web-server/
CVE ID: CVE-2009-3586
Affected Products: CoreHTTP web server versions <= 0.5.3.1.
Class: Improper Input Validation (CWE-20), Failure to Constrain
Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis

We have discovered a remotely exploitable "improper input validation"
vulnerability in the CoreHTTP web server that leads to an off-by-one
stack buffer overflow. The vulnerability can lead to denial of service
attacks against the web server and potentially to the remote execution
of arbitrary code with the privileges of the user running the server.

Details

CoreHTTP (http://corehttp.sourceforge.net/) is a minimalist web server
focusing on speed and size. More information about its features can be found
at http://corehttp.sourceforge.net/man.html.

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient
input validation method for handling HTTP requests with invalid method
names and URIs. Specifically, the vulnerability is an off-by-one buffer
overflow in the sscanf() call at file src/http.c line numbers 45 and 46:

45: sscanf(parentsprock->buffer,
46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);

The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
without NULL terminating them.

Note that this is not vulnerability CVE-2007-4060 in which the same
sscanf() call contained no bounds check at all.

This vulnerability can lead to denial of service attacks against the
CoreHTTP web server and potentially to the remote execution of
arbitrary code with the privileges of the user running the server. We
have developed a proof-of-concept exploit to demonstrate the
vulnerability:

http://census-labs.com/media/corex.txt

For the time being, one may use the following workaround to address this
issue, until an official fix is released by the author:

http://census-labs.com/media/corehttp-0.5.3.1-patch.txt

--
Patroklos Argyroudis
http://www.census-labs.com/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close