Re: [Full-Disclosure] H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 04/30/04

  • Next message: Janek Vind: "[Full-Disclosure] [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]" 
    To: Slotto Corleone <slotto@gmail.com>
Date: Fri, 30 Apr 2004 19:49:54 +0400

    Dear Slotto Corleone,

    --Friday, April 30, 2004, 3:43:15 AM, you wrote to full-disclosure@lists.netsys.com:

    SC> - sphiro/libhttp/http_socks.c
    SC> int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
    SC> ...
    SC> char buffer[MAX_READ +1];
    SC> char auth_buff[MAX_READ+1];
    SC> char filename[128];
    SC> ...
    SC> ...

    <skipped>

    SC> sprintf(filename,"%s%s",config->webroot,request); <-- oops

    According to information you provided this is stack overflow, not heap.
    And in this very case it looks not to be exploitable, because behind
    filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
    I may be wrong, full annalists of source code required to make
    conclusion. 

    -- 
~/ZARAZA
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Janek Vind: "[Full-Disclosure] [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]"

    Relevant Pages