COMMAND
wwwwais.c
SYSTEMS AFFECTED
wwwwais v25
PROBLEM
'auto122896' found following. wwwwais.c is a CGI-based
application that provides a frontend to several WAIS query tools.
'auto122896' was unable to locate the main distribution site for
it, but source code can be found at the following locations:
http://www.spawar.navy.mil/planet_earth/free/wwwwais/
http://sunsite.bilkent.edu.tr/pub/infosystems/wwwwais/
http://xenia.sote.hu/ftp/www/tools/index/wwwwais/
http://www.doc.mmu.ac.uk/DEVELOPMENT/scripts/
http://yardim.bilkent.edu.tr/WWW/wwwwais/
http://wwwmaths.anu.edu.au/atc/wwwwais/
This discussion applies to wwwwais.25.c, which appears to be the
latest version.
(1) The attacker uses the GET method, causing execution of the
following code:
136 static char query_string[MAXSTRLEN],
[...]
196 else if (!strncmp(method, "GET", 3)) {
197 query = (char *) getenv("QUERY_STRING");
198 if (query == NULL)
199 query_string[0] = '\0';
200 else
201 strcpy(query_string, query);
query_string is a character array allocated in the BSS segment.
Its size is MAXSTRLEN, which translates to 1024. The POST method
won't work for this overflow because a guard variable is used to
process it.
211 version = ((getvalue(VERSIONTXT, ""))[0] == '\0') ? 0 : 1;
As can be seen, getvalue() is invoked immediately afterwards.
(2) The attacker prepends "version=666&" to QUERY_STRING in order
to force execution of the strcpy at line 351 in the following
code:
335 {
336 int i;
337 char *c, *argp, argstr[MAXSTRLEN];
338 static char value[MAXSTRLEN], tmpstr[MAXSTRLEN];
339
340 if (query_string[0] == '\0' || !lstrstr(query_string, var)) {
341 argp = (char *) getenv("PATH_INFO");
342 if (argp == NULL || !lstrstr(argp, var)) {
343 if (strlen(def) <= 1)
344 return "\0";
345 strcpy(tmpstr, decode(def));
346 return tmpstr;
347 }
348 strcpy(argstr, argp);
349 }
350 else
351 strcpy(argstr, query_string);
352
353 for (i = 0, c = (char *) lstrstr(argstr, var) +
354 strlen(var); *c && i < MAXSTRLEN && *c != '&'; c++)
355 value[i++] = *c;
356 value[i] = '\0';
357
358 if (i) {
359 strcpy(tmpstr, decode(value));
360 return tmpstr;
361 }
argstr is allocated on the stack; therefore the attacker can
overwrite the activation record by crafting QUERY_STRING
appropriately.
The attacker will most likely gain access to the system running
the vulnerable application, with privileges equivalent to those
belonging to the webserver process. However, most attackers will
use fork-bomb shellcode that could bring your server to a complete
standstill. It is estimated that 200-300 sites are vulnerable to
this overflow.
It's probable that there are many other vulnerabilities existing
in wwwwais.c, but the one mentioned above is by far the easiest
to exploit.
SOLUTION
Workaround: `rm -f wwwwais*`