seeing is believing

CoreHTTP 0.5.3.1 Buffer Overflow

CoreHTTP 0.5.3.1 Buffer Overflow
Posted Dec 7, 2009
Authored by Patroklos Argyroudis | Site census-labs.com

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46.

tags | advisory, web, overflow
advisories | CVE-2009-3586
MD5 | b1fc405a23881cb5dd981fce48a6ca50

CoreHTTP 0.5.3.1 Buffer Overflow

Change Mirror Download
census ID:          census-2009-0003
URL: http://census-labs.com/news/2009/12/02/corehttp-web-server/
CVE ID: CVE-2009-3586
Affected Products: CoreHTTP web server versions <= 0.5.3.1.
Class: Improper Input Validation (CWE-20), Failure to Constrain
Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis

We have discovered a remotely exploitable "improper input validation"
vulnerability in the CoreHTTP web server that leads to an off-by-one
stack buffer overflow. The vulnerability can lead to denial of service
attacks against the web server and potentially to the remote execution
of arbitrary code with the privileges of the user running the server.

Details

CoreHTTP (http://corehttp.sourceforge.net/) is a minimalist web server
focusing on speed and size. More information about its features can be found
at http://corehttp.sourceforge.net/man.html.

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient
input validation method for handling HTTP requests with invalid method
names and URIs. Specifically, the vulnerability is an off-by-one buffer
overflow in the sscanf() call at file src/http.c line numbers 45 and 46:

45: sscanf(parentsprock->buffer,
46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);

The buffers req and url are declared to be of size 256 bytes (PATHSIZE)
and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers
without NULL terminating them.

Note that this is not vulnerability CVE-2007-4060 in which the same
sscanf() call contained no bounds check at all.

This vulnerability can lead to denial of service attacks against the
CoreHTTP web server and potentially to the remote execution of
arbitrary code with the privileges of the user running the server. We
have developed a proof-of-concept exploit to demonstrate the
vulnerability:

http://census-labs.com/media/corex.txt

For the time being, one may use the following workaround to address this
issue, until an official fix is released by the author:

http://census-labs.com/media/corehttp-0.5.3.1-patch.txt

--
Patroklos Argyroudis
http://www.census-labs.com/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close