[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability



---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
---------------------------------------------------------------------------------------

Author : Dedi Dwianto
Date : April, 28th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : Sws Web Server
version : < 0.1.7
URL : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages.
SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to cause the
program to execute arbitrary.
The format string vulnerability and buffer overflow can be found in
sws_web_server.c ayardosyasi.h file:

------------------ ayardosyasi.h ------------------------

...........
char homedizini[50];
char defaultsayfa[50];
char hatasayfasi[100];
...........
void open_log_file (void)
{
....
syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot opened. ");
exit (1);
...........

------------------ sws_web_server.c------------------------

cp = buf + 5;
...........
if (buf[strlen (buf) - 1] == '/')
{
strcpy (cp, defaultsayfa);
strcpy (home, homedizini);
strcat (home, cp);
.............
syslog(LOG_INFO, "Application finished.");
free(recvBuffer);
exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------



Relevant Pages

  • [UNIX] SWS Server Denial of Service Attack POF
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Anyone can kill SWS Web Server v0.1.0 remotely. ... * A: break break break ...
    (Securiteam)
  • SWS Web Server v0.1.0 Exploit
    ... Anyone can kill SWS Web Server v0.1.0 remotely. ... * A: break break break ... struct hostent *adres; ...
    (Bugtraq)
  • [VulnWatch] SWS Web Server v0.1.0 Exploit
    ... Anyone can kill SWS Web Server v0.1.0 remotely. ... * A: break break break ... struct hostent *adres; ...
    (VulnWatch)