Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: local buffer overflow in htpasswd for apache 1.3.31 not fixed in .33?
From: Larry Cashdollar <lwc () vapid ath cx>
Date: Sat, 30 Oct 2004 10:31:00 -0400


Read the first post by Luiz.   This is only applicable if your running
apache chrooted and htpasswd is part of that chrooted environment.

On Fri, Oct 29, 2004 at 11:53:16PM +0200, Andr? Malo wrote:
* Larry Cashdollar <lwc () vapid ath cx> wrote:

This was posted on the full-disclosure list sept 16 2004 by
Luiz Fernando.

http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html

The nessus check for this vulnerability recommends upgrading to
Apache version 1.3.32:

http://cgi.nessus.org/plugins/dump.php3?id=14771

But in Apache 1.3.33:

lachoy# grep strcpy /install/src/apache_1.3.33/src/support/htpasswd.c
    strcpy(record, user);
        strcpy(pwfilename, argv[i]);
    strcpy(user, argv[i + 1]);
        strcpy(password, argv[i + 2]);
            strcpy(scratch, line);

It is still vulnerable.

If you start htpasswd from a shell and you exploit some kind of buffer
overflow, you get ... a shell?. Wow!

Whoever runs htpasswd setuid is darn silly. The httpd developers, the docs and
commonsense tell, that the program is just not designed for such an intention.

Or in other words, take any program that's not designed for being run setuid
and you'll find a "vulnerability" (e.g. with malloc debug environment
variables or the like).

Sorry, I can't see a security vulnerability here.

nd
-- 
[...] wei? jemand zuf?llig, was der Tag DIV ausgeschrieben bedeutet?
DIVerses. Benannt nach all dem unstrukturierten Zeug, was die Leute da
so reinpacken und dann absolut positionieren ...
                           -- Florian Hartig und Lars Kasper in dciwam

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]