Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: hack2226.htm

local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?



local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?

This was posted on the full-disclosure list sept 16 2004 by
Luiz Fernando.

http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.ht ml

The nessus check for this vulnerability recommends upgrading to
Apache version 1.3.32:

http://cgi.nessus.org/plugins/dump.php3?id=14771 

But in Apache 1.3.33:

lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
    strcpy(record, user);
        strcpy(pwfilename, argv[i]);
    strcpy(user, argv[i + 1]);
        strcpy(password, argv[i + 2]);
            strcpy(scratch, line);

It is still vulnerable.

I patched my version that seemed to thwart the exploit offered by
Luiz.  Here is the diff:

root@bokchoy:~/tes/apache_1.3.33/src/support# diff -uN  htpasswd.orig.c
htpasswd.c
--- htpasswd.orig.c     2004-10-28 18:20:13.000000000 -0400
+++ htpasswd.c  2004-10-28 18:17:25.000000000 -0400
@@ -202,9 +202,9 @@
        ap_cpystrn(record, "resultant record too long", (rlen - 1));
        return ERR_OVERFLOW;
     }
-    strcpy(record, user);
+    strncpy(record, user,MAX_STRING_LEN - 1);
     strcat(record, ":");
-    strcat(record, cpw);
+    strncat(record, cpw,MAX_STRING_LEN - 1);
     return 0;
 }

@@ -410,14 +410,14 @@
            fprintf(stderr, "%s: filename too long\n", argv[0]);
            return ERR_OVERFLOW;
        }
-       strcpy(pwfilename, argv[i]);
+       strncpy(pwfilename, argv[i], MAX_STRING_LEN-1);
        if (strlen(argv[i + 1]) > (sizeof(user) - 1)) {
            fprintf(stderr, "%s: username too long (>%lu)\n", argv[0],
                    (unsigned long)(sizeof(user) - 1));
            return ERR_OVERFLOW;
        }
     }
-    strcpy(user, argv[i + 1]);
+    strncpy(user, argv[i + 1],MAX_STRING_LEN-1);
     if ((arg = strchr(user, ':')) != NULL) {
        fprintf(stderr, "%s: username contains illegal character
'%c'\n",
                argv[0], *arg);
@@ -429,7 +429,7 @@
                    (unsigned long)(sizeof(password) - 1));
            return ERR_OVERFLOW;
        }
-       strcpy(password, argv[i + 2]);
+       strncpy(password, argv[i + 2],MAX_STRING_LEN - 1 );
     }

 #ifdef WIN32
@@ -553,7 +553,7 @@
                putline(ftemp, line);
                continue;
            }
-           strcpy(scratch, line);
+           strncpy(scratch, line,MAX_STRING_LEN -1);
            /*
             * See if this is our user.
             */


Larry W. Cashdollar
http://vapid.ath.cx 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH