COMMAND

    wwwwais.c

SYSTEMS AFFECTED

    wwwwais v25

PROBLEM

    'auto122896'   found   following.    wwwwais.c   is   a  CGI-based
    application that provides a frontend to several WAIS query  tools.
    'auto122896' was unable to  locate the main distribution  site for
    it, but source code can be found at the following locations:

        http://www.spawar.navy.mil/planet_earth/free/wwwwais/
        http://sunsite.bilkent.edu.tr/pub/infosystems/wwwwais/
        http://xenia.sote.hu/ftp/www/tools/index/wwwwais/
        http://www.doc.mmu.ac.uk/DEVELOPMENT/scripts/
        http://yardim.bilkent.edu.tr/WWW/wwwwais/
        http://wwwmaths.anu.edu.au/atc/wwwwais/

    This discussion applies to  wwwwais.25.c, which appears to  be the
    latest version.

    (1) The  attacker uses  the GET  method, causing  execution of the
    following code:

        136 static char query_string[MAXSTRLEN],
        [...]
        196         else if (!strncmp(method, "GET", 3)) {
        197                 query = (char *) getenv("QUERY_STRING");
        198                 if (query == NULL)
        199                         query_string[0] = '\0';
        200                 else
        201                         strcpy(query_string, query);

    query_string is a  character array allocated  in the BSS  segment.
    Its size is MAXSTRLEN, which translates to 1024.  The POST  method
    won't work for this overflow  because a guard variable is  used to
    process it.

        211  version = ((getvalue(VERSIONTXT, ""))[0] == '\0') ? 0 : 1;

    As can be seen, getvalue() is invoked immediately afterwards.

    (2) The attacker prepends "version=666&" to QUERY_STRING in  order
    to force  execution of  the strcpy  at line  351 in  the following
    code:

        335 {
        336         int i;
        337         char *c, *argp, argstr[MAXSTRLEN];
        338         static char value[MAXSTRLEN], tmpstr[MAXSTRLEN];
        339
        340 if (query_string[0] == '\0' || !lstrstr(query_string, var)) {
        341                 argp = (char *) getenv("PATH_INFO");
        342                 if (argp == NULL || !lstrstr(argp, var)) {
        343                         if (strlen(def) <= 1)
        344                                 return "\0";
        345                         strcpy(tmpstr, decode(def));
        346                         return tmpstr;
        347                 }
        348                 strcpy(argstr, argp);
        349         }
        350         else
        351                 strcpy(argstr, query_string);
        352
        353         for (i = 0, c = (char *) lstrstr(argstr, var) +
        354         strlen(var); *c && i < MAXSTRLEN && *c != '&'; c++)
        355                 value[i++] = *c;
        356         value[i] = '\0';
        357
        358         if (i) {
        359                 strcpy(tmpstr, decode(value));
        360                 return tmpstr;
        361         }

    argstr  is  allocated  on  the  stack;  therefore the attacker can
    overwrite  the   activation  record   by  crafting    QUERY_STRING
    appropriately.

    The attacker will  most likely gain  access to the  system running
    the vulnerable  application, with  privileges equivalent  to those
    belonging to the webserver process.  However, most attackers  will
    use fork-bomb shellcode that could bring your server to a complete
    standstill.  It is estimated that 200-300 sites are vulnerable  to
    this overflow.

    It's probable that there  are many other vulnerabilities  existing
    in wwwwais.c, but  the one mentioned  above is by  far the easiest
    to exploit.

SOLUTION

    Workaround: `rm -f wwwwais*`