unbounded strcpy() causes stack overflow
24 views
Skip to first unread message
mothra
May 27, 2015, 1:11:43 AM5/27/15
to openlitespee...@googlegroups.com
While setting up a test enviroment I noticed a vulnerable call to strcpy() in the LshttpdMain::guessCommonServerRoot() function.
You can trigger the issue with:
HOME=`python2 -c 'print "A"*4128'` ./openlitespeed
It appears to be possible on 1.3.11 and 1.4.8.
Because of the stack canary (thanks -fstack-protector) it would be quite hard to make this exploitable and its only local so nothing major just a bit of code cleanliness.
Oh and the call to:
strcat(achBuf, pServerDirs[j]);
a few lines down could also cause a minor uncontrolled write if someone had some really large paths.
Thanks!
char *pHome = getenv("HOME");
pServerRoots[0] = pHome;
char achBuf[MAX_PATH_LEN];
for (size_t i = 0; i < sizeof(pServerRoots) / sizeof(char *); ++i)
{
if (!pServerRoots[i])
continue;
strcpy(achBuf, pServerRoots[i]);
You can trigger the issue with:
HOME=`python2 -c 'print "A"*4128'` ./openlitespeed
It appears to be possible on 1.3.11 and 1.4.8.
Because of the stack canary (thanks -fstack-protector) it would be quite hard to make this exploitable and its only local so nothing major just a bit of code cleanliness.
Oh and the call to:
strcat(achBuf, pServerDirs[j]);
a few lines down could also cause a minor uncontrolled write if someone had some really large paths.
Thanks!
Kevin Fwu
May 27, 2015, 10:00:30 AM5/27/15
to openlitespee...@googlegroups.com, w.parker...@gmail.com
Hi mothra,
Thanks for notifying us! It will be updated in the next patch.
Kevin
Reply all
Reply to author
Forward
0 new messages