Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format Strin

from [the_day] Network Security [Permanent Link]
Subject: [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
Date: 28 Apr 2006 07:22:33 -0000 
---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String 
Vulnerability
---------------------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 28th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Sws Web Server
version     : < 0.1.7
URL         : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages. 
SWS is very simple and fast. It's written in GCC and you can distribute with 
GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to 
cause the
program to execute arbitrary. 
The format string vulnerability and buffer overflow can be found in 
sws_web_server.c ayardosyasi.h file: 

------------------ ayardosyasi.h ------------------------

                ...........
                char homedizini[50];            
                char defaultsayfa[50];          
                char hatasayfasi[100];
                ...........
                void open_log_file (void)
                {
                ....
                syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og 
files cannot     opened. ");
                exit (1);
                ...........
                
------------------ sws_web_server.c------------------------
                
                cp = buf + 5;
                ...........
                if (buf[strlen (buf) - 1] == '/')
                {
                      strcpy (cp, defaultsayfa);
                      strcpy (home, homedizini);
                      strcat (home, cp);
                .............
                syslog(LOG_INFO, "Application finished.");
                  free(recvBuffer);
                  exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been 
found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability, the_day <=
Previous by Date:  Secunia Research: Servant Salamander unacev2.dll Buffer Overflow Vulnerability, Secunia Research
Next by Date:  Cireos Portal Cross Site Scripting, outlaw
Previous by Thread:  Secunia Research: Servant Salamander unacev2.dll Buffer Overflow Vulnerability, Secunia Research
Next by Thread:  Cireos Portal Cross Site Scripting, outlaw
Indexes:  [Date] [Thread] [Top] [All Lists]