Home page logo

fulldisclosure logo Full Disclosure mailing list archives

pavuk buffer overflow
From: Ulf Härnhammar <Ulf.Harnhammar.9485 () student uu se>
Date: Fri, 2 Jul 2004 00:48:20 +0200

I have found a buffer overflow in pavuk 0.9pl28, 0.9pl27 and possibly
also in other versions. It has the identifier CAN-2004-0456.

When pavuk sends a request to a web server and the server sends back
the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP
Location header in an unsafe manner. This leads to a stack-based
buffer overflow with control over EIP.

I have attached a patch (against 0.9pl28) for this bug and a PHP
script that exhibits the problem.

Versions of pavuk with this problem are distributed by Debian
GNU/Linux (non-US), SUSE Linux and Gentoo Linux, as well as in
FreeBSD's and OpenBSD's port collections.

I finished auditing pavuk and sent off information about this
to Debian, SUSE, Gentoo and upstream on the 14th of June. SUSE
accidentally released their update on the 23rd... Gentoo released
their advisory (please credit me) on the 30th, which was the
agreed-upon release date.

// Ulf Harnhammar for the
   Debian Security Audit Project

Attachment: index.php

Attachment: pavuk.patch

  By Date           By Thread  

Current thread:
  • pavuk buffer overflow Ulf Härnhammar (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]