cgiwrap-3.5 (and 3.6beta1, avialiblty of which is not known) buffer

Duncan Simpson (dps@IO.STARGATE.CO.UK)
Sun, 07 Dec 1997 00:23:15 +0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jim Bourne: "Re: pinelock.csh exploit"
Previous message: Geoffrey King: "Microsoft, CNET, BUGTRAQ and the 'land' attack"

Hi, I have been hacking cgiwrap-3.5 for my own purposes. Anyway I spotted
a code fragmen that allocated a static buffer and printed an arbitary
lenght string in it. Exploits probably require one to create a file with
the name contiaining shellcode but that should not be a serious problem (/
means new dir and \0 does not happen).

Here is a patch:
diff -ur cgiwrap-3.6beta1/util.c cgiwrap-3.6beta1-fixed/util.c
--- cgiwrap-3.6beta1/util.c Tue Nov 18 04:51:05 1997
+++ cgiwrap-3.6beta1-fixed/util.c Sun Dec 7 00:15:27 1997
@@ -282,7 +282,7 @@

if (!(fileStat.st_mode & S_IXUSR))
{
- sprintf(tempErrString, "Script is not executable. Issue chmod 755 %s", scriptPath);
+ snprintf(tempErrString, 254, "Script is not executable. Issue chmod 755 %s", scriptPath);
MSG_Error_ExecutionNotPermitted(tempErrString);
}

which should apply cleaning to 3.5 as well. (The patch is against 3.6beta1
as you can see). The maintainer has been informed.

Duncan (-:

Next message: Jim Bourne: "Re: pinelock.csh exploit"
Previous message: Geoffrey King: "Microsoft, CNET, BUGTRAQ and the 'land' attack"