Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: [ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability

From: <the_day_at_echo.or.id>
Date: 28 Apr 2006 07:22:33 -0000
('binary' encoding is not supported, stored as-is) ---------------------------------------------------------------------------------------
[ECHO_ADV_31$2006] Sws Web Server 0.1.7 Strcpy() & Syslog() Format String Vulnerability
---------------------------------------------------------------------------------------

Author : Dedi Dwianto
Date : April, 28th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv31-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Sws Web Server
version : < 0.1.7
URL : http://www.linuxprogramlama.com/
Description :

SWS is web server for static web pages.
SWS is very simple and fast. It's written in GCC and you can distribute with GPL license.
---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
A format string vulnerability in Sws Web Server allows remote attackers to cause the
program to execute arbitrary.
The format string vulnerability and buffer overflow can be found in
sws_web_server.c ayardosyasi.h file:

------------------ ayardosyasi.h ------------------------

                ...........
                char homedizini[50];
                char defaultsayfa[50];
                char hatasayfasi[100];
                ...........
                void open_log_file (void)
                {
                ....
                syslog (LOG_INFO, "/var/log/sws_web_server/sws_web_server l og files cannot opened. ");
                exit (1);
                ...........
                
------------------ sws_web_server.c------------------------
                
                cp = buf + 5;
                ...........
                if (buf[strlen (buf) - 1] == '/')
                    {
                      strcpy (cp, defaultsayfa);
                      strcpy (home, homedizini);
                      strcat (home, cp);
                .............
                syslog(LOG_INFO, "Application finished.");
                  free(recvBuffer);
                  exit (1);

-----------------------------------------------------------

strcpy can cause a buffer overflow in cp because it does not do bounds checking.
Several potential format string and bufferoverflow vulnerabilities have been found.
The problems likely exist due to user-supplied data being passed
as the format specifier argument to a function in the syslog function.
It may be possible for a remote attacker to cause process memory to be
overwritten by supplying certain format specifiers, enabling the attacker
to cause the execution of supplied shellcode.

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker_at_yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Received on Apr 28 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]