Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Remote multiple vulnerability in apt-www-proxy

Remote multiple vulnerability in apt-www-proxy

by Nikola Strahija on December 11th, 2002 apt-www-proxy is a proxy server designed specificly for apt-get http:// repositories.


It gathers files that clients request, and then
simultaneously retrieves, streams to client, and to local disk archive
based on a set of archive mappings a lot like apt-proxy does. I
decided to write this due to the unstable nature of apt-proxy. IMHO
this is due to it being written in shell script. It's a good design,
just was never implemented in the right kind of language.

[1]apt-www-proxy 0.1 - accepts clients and automaticly says "not
found". nifty eh? 8-P

And of course, who would be without the [2]latest snapshot!

Back to my [3]homepage!

References

1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.gz
2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2
3. http://ironsides.terrabox.com/~ahzz/index.html
bash$
--

Let's analyze.

Examine syslog() function first.
There is awp_log() function to 173 lines of 'src/utils.c' code.

__
173 void awp_log(int level, const char *message)
...
222 if((level < LOG_DEBUG) || (1 == logit))
224 /* log that information */
227 syslog(level, message); // Here.
...
--

It's very bad state.
awp_log() function is used as follows.
Format string bug happens by setting file error log.

Let's find awp_log() function in 'apt-www-proxy.c' code.

__
47 awp_log(LOG_DATA, errlog);
78 awp_log(LOG_DATA, errlog);
93 awp_log(LOG_DATA, errlog);
130 awp_log(LOG_DATA, errlog);
146 awp_log(LOG_DATA, errlog);
157 awp_log(LOG_GEN, errlog);
287 awp_log(LOG_NOTICE, errlog);
500 awp_log(LOG_NOTICE,errlog);
510 awp_log(LOG_CRIT, errlog);
527 awp_log(LOG_ERR, errlog);
538 awp_log(LOG_INFO, errlog);
546 awp_log(LOG_NOTICE, errlog);
554 awp_log(LOG_NOTICE, errlog);
560 awp_log(LOG_NOTICE, errlog);
572 awp_log(LOG_NOTICE, errlog);
--

Second, examine remote DoS vulnerability.
We read 'utils.c' code again.

__
260 int parse_get(struct client * client)
...
268 /* now match against the archives */
269 if(!strncmp("http://", client->get, 7)) // Here.
270 {
271 /* AHHA! It's a full URL. */
--

If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.

----------------------------------------------------------------------
main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault'
----------------------------------------------------------------------


0x02. Vulnerable Packages


Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/

apt-www-proxy 0.1
-apt-www-proxy-0.1.tar.gz
+Linux


0x03. Exploit



"We don't want to compose DoS code."


0x04. Patch


=== utils.patch ===

--- utils.c Mon Oct 22 15:20:29 2001
+++ utils.patch.c Sat Nov 30 02:26:35 2002
@@ -224,11 +224,11 @@
/* log that information */
if(background)
{
- syslog(level, message);
+ syslog(level, "%s", message);
}
else
{
- fprintf(stderr, message);
+ fprintf(stderr, "%s", message);
}
}
}
@@ -265,6 +265,10 @@
struct urlmask *curu = urls;
int found = 0;

+ if(client->get==NULL)
+ {
+ return(0);
+ }
/* now match against the archives */
if(!strncmp("http://", client->get, 7))
{

=== eof ===

By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »