Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Remote POST Buffer Overflow vulnerability in Pserv.

Remote POST Buffer Overflow vulnerability in Pserv.

by Nikola Strahija on November 25th, 2002 Pico server is very small webserver of C language base that support several platforms. Webserver has very interesting function that watch buffer overflow basically. ( Developer seems to hate very buffer overflow. ;-} ) Can confirm as following.


__
bash# cat *.c | grep flow
printf("Buffer overflow on document path parsingn");
{ /* checking for buffer overflow */
printf("Buffer overflow on POST readn");
if (totalRead > BUFFER_SIZE) /* checking for buffer overflow */
printf("Buffer overflow on request readn");
bash#
--

There's thing which among them, there is no substantiality.

Indicate wrong part in 184 line to main.c.
This part is POST method area.

__
178 reqSize = strlen(req);
179 i = 0; j = 0;
180 while (i < MAX_REQUEST_LINES && j < reqSize)
181 {
182 k = 0;
183 while (req[j] != 'n')
184 token[k++] = req[j++]; // here.
185 token[k-1] = ''; /* the line read ends with an n we skipit and count it as read */
186 j++;
187 strcpy(reqArray[i], token);
188 i++;
189 }
--

Through POST method, can attempt Denial of Service (DoS) Attack.


0x02. Vulnerable Packages


Vendor site: http://pserv.sourceforge.net/

Pserv 2.0 beta 3
-pserv-31-Oct-02.tar.Z
+MacOS X
+AIX
+NetBSD
+Linux

2.0 beta 2
-pserv-20-Oct-02.tar.Z
2.0 beta 1
-pserv-15-Oct-02.tar.Z
2.0 alpha 12
-pserv-18-Sep-02.tar.Z
2.0 alpha 11
-pserv-17-Sep-02.tar.Z
2.0 alpha 10
-pserv-10-Sep-02.tar.Z
2.0 alpha 9
-pserv-09-Sep-02.tar.Z
2.0 alpha 8
-pserv-04-Sept-02.tar.Z
2.0 alpha 7
-pserv-29-Aug-02.tar.Z
2.0 alpha 6
-pserv-24-Aug-02.tar.Z
2.0 alpha 5
-pserv-22-Aug-02.tar.Z
2.0 alpha 4
-pserv-17-Aug-02.tar.Z
2.0 alpha 3
-pserv-11-Aug-02.tar.Z
2.0 alpha 2
-pserv-10-Aug02.tar.Z
2.0 alpha 1
-pserv-7-Aug-02.tar
1.0
-pserv1.0.tgz




0x03. Exploit


There is no exploit code yet.

0x04. Patch


=== http.patch ===

--- main.c Tue Nov 19 16:48:40 2002
+++ main.patch.c Tue Nov 19 16:15:51 2002
@@ -176,6 +176,9 @@

/* we copy the header lines to an array for easier parsing */
reqSize = strlen(req);
+
+ req[BUFFER_SIZE]='n'; /* Limit! */
+
i = 0; j = 0;
while (i < MAX_REQUEST_LINES && j < reqSize)
{

=== eof ===



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »