Full Disclosure: Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Slotto Corleone,



--Friday, April 30, 2004, 3:43:15 AM, you wrote to full-disclosure () lists netsys com:


SC> - sphiro/libhttp/http_socks.c
SC>  int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
SC> ...
SC>  char buffer[MAX_READ +1];
SC>  char auth_buff[MAX_READ+1];
SC>  char filename[128];
SC> ...
SC> ...

<skipped>

SC>  sprintf(filename,"%s%s",config->webroot,request);  <-- oops

According  to information you provided this is stack overflow, not heap.
And  in  this  very  case it looks not to be exploitable, because behind
filename boundaries sprintf() overwrites beginning of auth_buf. Of cause
I  may  be  wrong,  full  annalists  of  source  code  required  to make
conclusion.

-- 
~/ZARAZA
Åñëè äàæå âû ïîëó÷èòå êàêîå-íèáóäü ïèñüìî, âû âñå ðàâíî íå ñóìååòå åãî ïðî÷èòàòü. (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html