Date: Sun, 10 Jan 1999 16:55:04 +0000 From: Jon Ribbens <jon@OAKTREE.CO.UK> Subject: Buffer overflow in www.boutell.com cgic library To: BUGTRAQ@NETSPACE.ORG --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Thomas Boutell's cgic library (version 1.05) has a buffer overflow in cgiFormEntryString() which is almost certainly exploitable. (Although it obviously depends on the program that has linked with cgic.) The fault is because he is checking if 'len =3D=3D avail' before examining = each input character, but if the character is not CR or LF then 'len' is not checked after outputting the LFs but before outputting the character. (i.e. it checks that there is 1 byte free in the buffer, but then it can sometimes place 2 bytes in the buffer before checking again.) i.e. if 'avail' is 'n' and the 'n-1'th character is LF or CR and the 'n'th character is *not* LF or CR then the character will be written at the end of the buffer (because avail =3D=3D sizeofbuffer-1), and then len =3D avail= + 1. Since he always checks for 'len =3D=3D avail' rather than 'len >=3D avail',= this means the overflow detection never kicks in, and the routine keeps copying until the end of the input. The attacker is free to copy whatever data they desire into the memory above the buffer. As an example, the cgictest program can be segfaulted by: $ REQUEST_METHOD=3DGET QUERY_STRING=3D'address=3D<240 x letter 'A'>%0A<1000= x letter 'A'>' ./cgictest Content-type: text/html <HTML><HEAD> <TITLE>cgic test</TITLE></HEAD> <BODY><H1>cgic test</H1> Name: <BR> Address: <PRE> <lots of letter A's> Segmentation fault (core dumped) Oh, one other point is that the 'cgiSaferSystem' function appears to be seriously misguided. It is merely escaping the '|' and ';' characters, which is of course totally inadequate. I notified Thomas Boutell of this on 12th November 1998, he responded the same day thanking me for the report, but the version being distributed on www.boutell.com is still the buggy version. (As an aside, I think it is safe to use Perl's quotemeta function before sending a string to a shell. It puts a backslash before all characters except [A-Za-z0-9_]. Am I right or wrong? ;-) ) Cheers Jon --=20 \/ Jon Ribbens / jon@oaktree.co.uk --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBNpjbaIMzEl4yn7LtAQELiAQAvlywB18Z2x5RFeFnEqi/eqRJMozquxA3 gg661kfoAloO1hJ5p2fTUR/ITCXd1DcveZ7IhYxNEZ/Amw/f0vS0eSPKPqHXcA+s 7xnNYJDnGpE9ZbyUJiE8Gtc2HpEMRsgTaA1J8XjKjy916JFy0JqtM6RA97f8okiH 3L3fMDuDJ5U= =wfku -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm--