Multiple vulnerabilities in Pico Server (pServ) v3.3 discovered by Raphaël Rigo Product: Pico Server (pServ) Affected Version: 3.3 (verified), <=3.3 probably too Not affected Version: 3.4 OS affected: all Risk: critical Remote Exploit: yes URL: http://pserv.sourceforge.net/ Overview ======== Pico Server is a small web server. It is meant to be portable and configurable. * small, portable * fast * CGI-BIN support * auto-indexing of directories * access and error logging (see p-reporter for an analyser) * forking or single-connection at choice Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behaviour, the performance and the feature set so to be able to fit better the the requisites. Vulnerabilities =============== 1) Directory traversal A bug in the directory parsing code allows the attacker to access any directory the server has the right to access. Details : pServ computes the depth of the directory the user tries to access in the variable named depthCount. This counts is decreased when a /../ is encountered, unfortunately, it is also increased when /./ is encountered, allowing the attacker to use a /./ for each /../ to make sure depthCount is not negative. Risk : HIGH The attacker may gain important information about the system that could lead to other attacks. Proof of concept : access : http://www.example.com/./../ Workaround : There is no workaround for this vulnerability. Solution : Update to v3.4 ----------------------------------------------------------------------- 2) Remote command execution The directory traversal vulnerability described above also enables remote command execution. This may help an attacker to compromise the server. Details : pServ considers every request beginning with /cgi-bin/ as a script execution. Risk : CRITICAL The attacker may use this vulnerability to destroy data or for other attacks (i.e. use wget to download root exploits). Proof of concept : access : http://www.example.com/cgi-bin/./.././../usr/bin/ls Workaround : Disable cgi-bin support at compile time. Solution : Update to v3.4 ----------------------------------------------------------------------- 3) Multiple heap overflows in cgi execution The lack of bounds checking for cgi arguments allows an attacker to overflow the allocated memory, possibly allowing for remote code execution. Details : Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux) but the attacker is only limited by the maximum request length (2048). The malloc'ed buffer can therefore be overflowed. Risk : HIGH Successful exploitation can lead to arbitrary code execution. Workaround : Disable cgi-bin support at compile time. Solution : Update to v3.4 ----------------------------------------------------------------------- Timeline ======== 2005-05-18 Discovery 2005-05-19 First attempt to contact developer 2005-05-21 Second attempt 2005-05-22 Developer reply 2005-06-11 Fixed version 3.4 released and advisory published