Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Off-by-one vulnerability in thttpd!!!
From: David Rude II <banned-it () fatelabs com>
Date: 23 Nov 2001 01:03:33 -0000

Mailer: SecurityFocus
In-Reply-To: <20011120150406.29986.qmail () tsunami stormhosting com>

I have been trying to recreate this kind of
situation with no luck. Below I will go into
detail as to why I beleive this is so. Yes there
is a off-by-one bof here. However I have doubts
about its exploitability.

Bug is in libhttpd.c/auth_check():

static int
auth_check( httpd_conn* hc, char* dirname  )
   static char* authpath;
   static int maxauthpath = 0;
   struct stat sb;
   char authinfo[500];
   char* authpass;
   l = b64_decode( &(hc->authorization[6]),
authinfo, sizeof(authinfo) );
   authinfo[l] = '\0';

from what I can tell that struct seems to be on
the stack. If so this causing major problems in
trying to exploit this bug. Perhaps I'm wrong. Any
clarity is welcome.

   l = b64_decode( &(hc->authorization[6]),
authinfo, sizeof(authinfo) );
   authinfo[l] = '\0';

It made 'l' == 500 so "authinfo[500] = '\0'" be
made and buffer is made
overflow by one byte
I have been able to get this far but I get
different results. It looks like half the null is
going to the array and the other half somewhere
else. If I am wrong about the struct this could
mean exploitation but that would mean ebp would be
under control. I have yet to experience that.
Exploitable? Yes. If compiler arrange 'authinfo'
first on stack, then on x86
machine it possible to overwrite saved register
ebp value and fuck over
process like described by Olaf Kirch in 1998 team
bugtraq post which
describe "Poison NUL Byte" method of punching
hole in software to get in
I have read that posting. It describes your run of
the mill off-by-one overflow. Which with the
testing I have done does not seem to be the case
in this situation. However I maybe wrong.

2) Build and then:

[terminal 1]

mkdir test
echo "joe:blow" > test/.htpasswd
./thttpd -D -p 7777

[terminal 2] 

(printf "GET /test/ HTTP/1.0\r\nAuthorization:
Basic " ; printf `perl -e
'print "A"x550'` | openssl enc -base64 -e -in
/dev/stdin ; printf "\r\n\r\n") | nc 0 7777

[terminal 1]

We see '41'. This mean off-by-one overflow is
really present!

This is where I get really confused. I have
debugged thttpd during a normal and accurate basic
authentication session and compaired the registers
to the buffer overflow authentication session. ebp
seems to be untouched. I maybe wrong yet again but
I have always thought no control over ebp means no
execution of arbitrary code.

If anyone else has had better luck recreating this
scenario please respond. I would enjoy any
comments or clarity.

Fate Research Labs
IDS Division
[e] banned-it () fatelabs com
[w] www.fatelabs.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]