Exploit the possiblities

CoreHTTP 0.5.3.1 Buffer Overflow

CoreHTTP 0.5.3.1 Buffer Overflow
Posted Dec 7, 2009
Authored by Patroklos Argyroudis | Site census-labs.com

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46.

tags | advisory, web, overflow
advisories | CVE-2009-3586
MD5 | b1fc405a23881cb5dd981fce48a6ca50

CoreHTTP 0.5.3.1 Buffer Overflow

Change Mirror Download
census ID:          census-2009-0003
URL: http://census-labs.com/news/2009/12/02/corehttp-web-server/
CVE ID: CVE-2009-3586
Affected Products: CoreHTTP web server versions <= 0.5.3.1.
Class: Improper Input Validation (CWE-20), Failure to Constrain
Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis

We have discovered a remotely exploitable "improper input validation"
vulnerability in the CoreHTTP web server that leads to an off-by-one
stack buffer overflow. The vulnerability can lead to denial of service
attacks against the web server and potentially to the remote execution
of arbitrary code with the privileges of the user running the server.

Details

CoreHTTP (http://corehttp.sourceforge.net/) is a minimalist web server
focusing on speed and size. More information about its features can be found
at http://corehttp.sourceforge.net/man.html.

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient
input validation method for handling HTTP requests with invalid method
names and URIs. Specifically, the vulnerability is an off-by-one buffer
overflow in the sscanf() call at file src/http.c line numbers 45 and 46:

45: sscanf(parentsprock->buffer,
46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);

The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
without NULL terminating them.

Note that this is not vulnerability CVE-2007-4060 in which the same
sscanf() call contained no bounds check at all.

This vulnerability can lead to denial of service attacks against the
CoreHTTP web server and potentially to the remote execution of
arbitrary code with the privileges of the user running the server. We
have developed a proof-of-concept exploit to demonstrate the
vulnerability:

http://census-labs.com/media/corex.txt

For the time being, one may use the following workaround to address this
issue, until an official fix is released by the author:

http://census-labs.com/media/corehttp-0.5.3.1-patch.txt

--
Patroklos Argyroudis
http://www.census-labs.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    17 Files
  • 24
    Jan 24th
    35 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close