[LWN Logo]

Date:	Sun, 10 Jan 1999 16:55:04 +0000
From:	Jon Ribbens <jon@OAKTREE.CO.UK>
Subject:      Buffer overflow in www.boutell.com cgic library
To:	BUGTRAQ@NETSPACE.ORG

--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Thomas Boutell's cgic library (version 1.05) has a buffer overflow in
cgiFormEntryString() which is almost certainly exploitable. (Although
it obviously depends on the program that has linked with cgic.)

The fault is because he is checking if 'len =3D=3D avail' before examining =
each
input character, but if the character is not CR or LF then 'len' is not
checked after outputting the LFs but before outputting the character.
(i.e. it checks that there is 1 byte free in the buffer, but then it can
sometimes place 2 bytes in the buffer before checking again.)

i.e. if 'avail' is 'n' and the 'n-1'th character is LF or CR and the 'n'th
character is *not* LF or CR then the character will be written at the end
of the buffer (because avail =3D=3D sizeofbuffer-1), and then len =3D avail=
 + 1.
Since he always checks for 'len =3D=3D avail' rather than 'len >=3D avail',=
 this
means the overflow detection never kicks in, and the routine keeps copying
until the end of the input. The attacker is free to copy whatever data they
desire into the memory above the buffer.

As an example, the cgictest program can be segfaulted by:

$ REQUEST_METHOD=3DGET QUERY_STRING=3D'address=3D<240 x letter 'A'>%0A<1000=
 x letter 'A'>' ./cgictest
Content-type: text/html

<HTML><HEAD>
<TITLE>cgic test</TITLE></HEAD>
<BODY><H1>cgic test</H1>
Name: <BR>
Address: <PRE>
<lots of letter A's>
Segmentation fault (core dumped)

Oh, one other point is that the 'cgiSaferSystem' function appears to be
seriously misguided. It is merely escaping the '|' and ';' characters, which
is of course totally inadequate.

I notified Thomas Boutell of this on 12th November 1998, he responded the
same day thanking me for the report, but the version being distributed on
www.boutell.com is still the buggy version.

(As an aside, I think it is safe to use Perl's quotemeta function before
sending a string to a shell. It puts a backslash before all characters
except [A-Za-z0-9_]. Am I right or wrong? ;-) )

Cheers


Jon
--=20
\/ Jon Ribbens / jon@oaktree.co.uk

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAwUBNpjbaIMzEl4yn7LtAQELiAQAvlywB18Z2x5RFeFnEqi/eqRJMozquxA3
gg661kfoAloO1hJ5p2fTUR/ITCXd1DcveZ7IhYxNEZ/Amw/f0vS0eSPKPqHXcA+s
7xnNYJDnGpE9ZbyUJiE8Gtc2HpEMRsgTaA1J8XjKjy916JFy0JqtM6RA97f8okiH
3L3fMDuDJ5U=
=wfku
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--