--------------------------------------------------------------------------------------- [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability --------------------------------------------------------------------------------------- Author : Dedi Dwianto Date : April, 28th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt Critical Lvl : High --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Sws Web Server version : < 0.1.7 URL : http://www.linuxprogramlama.com/ Description : SWS is web server for static web pages. SWS is very simple and fast. It's written in GCC and you can distribute with GPL license. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~~~ A format string vulnerability in Sws Web Server allows remote attackers to cause the program to execute arbitrary. The format string vulnerability and buffer overflow can be found in sws_web_server.c ayardosyasi.h file: ------------------ ayardosyasi.h ------------------------ ........... char homedizini[50]; char defaultsayfa[50]; char hatasayfasi[100]; ........... void open_log_file (void) { .... syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot opened. "); exit (1); ........... ------------------ sws_web_server.c------------------------ cp = buf + 5; ........... if (buf[strlen (buf) - 1] == '/') { strcpy (cp, defaultsayfa); strcpy (home, homedizini); strcat (home, cp); ............. syslog(LOG_INFO, "Application finished."); free(recvBuffer); exit (1); ----------------------------------------------------------- strcpy can cause a buffer overflow in cp because it does not do bounds checking. Several potential format string and bufferoverflow vulnerabilities have been found. The problems likely exist due to user-supplied data being passed as the format specifier argument to a function in the syslog function. It may be possible for a remote attacker to cause process memory to be overwritten by supplying certain format specifiers, enabling the attacker to cause the execution of supplied shellcode. --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous ~ newbie_hacker@yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~~~~ Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------