BOOZT! is a banner management software for linux servers. It has a remote 
administration system based on web. I played with version 0.9.8alpha.


Here is a reproduction of the bug:

        http://127.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1

Fill the "Name Field" with enough A's (1590 was be fine for me). Press "Create 
New Banner". It should show this:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable 
to complete your request.

Let's see what happened in error_log:

[Tue Feb  5 17:13:52 2002] [error] [client 127.0.0.1] Premature end of script 
headers: /usr/local/apache/cgi-bin/boozt/admin/index.cgi

Now see what the code for the AdministrationBanners function 
(src/admin/banners.c) looks like:

         char name[255]="";

         [...]

        if ((pomus=(char *)GetFromCgi("name"))==NULL)  strcpy(name,"");
        else strcpy(name,pomus);

There is no boundary checking in GetFromCgi:

        #define GetFromCgi(name) cgiParam(name)

        const char *cgiParam(const char *name)
        {
         return cgiPosParam((CgiPos*)listGetByName(name));
        }

        const char *cgiPosParam(CgiPos *where)
        {
         CgiElement *w=(CgiElement*)where;
         DefCheck(NULL);

         [ ... code to walk over the linked list ... ]
        }

This way we can write A's (or shellcode) beyond the boundaries of the "name" 
variable, making the cgi crash (or give us a shell with httpd privileges).


                                                                              
           Rafael San Miguel Carrasco
(_kiss_)                                                                        
          
rsanmcar@alum.uax.es