COMMAND
cgic library
SYSTEMS AFFECTED
Systems using cgic (mostly)
PROBLEM
Jon Ribbens found following. Thomas Boutell's cgic library
(version 1.05) has a buffer overflow in cgiFormEntryString() which
is almost certainly exploitable. (Although it obviously depends
on the program that has linked with cgic.)
The fault is because he is checking if 'len == avail' before
examining each input character, but if the character is not CR or
LF then 'len' is not checked after outputting the LFs but before
outputting the character. (i.e. it checks that there is 1 byte
free in the buffer, but then it can sometimes place 2 bytes in the
buffer before checking again). i.e. if 'avail' is 'n' and the
'n-1'th character is LF or CR and the 'n'th character is *not* LF
or CR then the character will be written at the end of the buffer
(because avail == sizeofbuffer-1), and then len = avail + 1. Since
he always checks for 'len == avail' rather than 'len >= avail',
this means the overflow detection never kicks in, and the routine
keeps copying until the end of the input. The attacker is free to
copy whatever data they desire into the memory above the buffer.
As an example, the cgictest program can be segfaulted by:
$ REQUEST_METHOD=GET QUERY_STRING='address=<240 x letter 'A'>%0A<1000 x letter 'A'>' ./cgictest
Content-type: text/html
<HTML><HEAD>
<TITLE>cgic test</TITLE></HEAD>
<BODY><H1>cgic test</H1>
Name: <BR>
Address: <PRE>
<lots of letter A's>
Segmentation fault (core dumped)
Oh, one other point is that the 'cgiSaferSystem' function appears
to be seriously misguided. It is merely escaping the '|' and ';'
characters, which is of course totally inadequate.
SOLUTION
Seems to be solved. From Thomas Boutells site take a look at:
http://www.boutell.com/cgic/#whatsnew106
Upgrading to version 1.06 is strongly recommended.