Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33

from [André Malo] Network Security [Permanent Link]
Subject: Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?
Date: Fri, 29 Oct 2004 23:53:16 +0200 
* Larry Cashdollar <lwc@vapid.ath.cx> wrote:


This was posted on the full-disclosure list sept 16 2004 by
Luiz Fernando.

http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html

The nessus check for this vulnerability recommends upgrading to
Apache version 1.3.32:

http://cgi.nessus.org/plugins/dump.php3?id=14771

But in Apache 1.3.33:

lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
    strcpy(record, user);
        strcpy(pwfilename, argv[i]);
    strcpy(user, argv[i + 1]);
        strcpy(password, argv[i + 2]);
            strcpy(scratch, line);

It is still vulnerable.


If you start htpasswd from a shell and you exploit some kind of buffer
overflow, you get ... a shell?. Wow!

Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and
commonsense tell, that the program is just not designed for such an intention.

Or in other words, take any program that's not designed for being run setuid
and you'll find a "vulnerability" (e.g. with malloc debug environment
variables or the like).

Sorry, I can't see a security vulnerability here.

nd
-- 

[...] weiß jemand zufällig, was der Tag DIV ausgeschrieben bedeutet?

DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
so reinpacken und dann absolut positionieren ...
                           -- Florian Hartig und Lars Kasper in dciwam
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New URL spoofing bug in Microsoft Internet Explorer, Jérôme
Next by Date:  Re: Update: Web browsers - a mini-farce (MSIE gives in), Chris Paget
Previous by Thread:  local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?, Larry Cashdollar
Next by Thread:  Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?, Michael Engert
Indexes:  [Date] [Thread] [Top] [All Lists]