[398] in WWW Security List Archive
Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
daemon@ATHENA.MIT.EDU (Scott Powers)
Thu Feb 16 03:49:48 1995
From: spowers@shire.ncsa.uiuc.edu (Scott Powers)
To: www-security@ns2.rutgers.edu
Date: Wed, 15 Feb 1995 23:19:39 -0600 (CST)
In-Reply-To: <9502152131.AA21296@mccarthy.csd.uwo.ca> from "A Warren Pratten" at Feb 15, 95 04:31:29 pm
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>
> -> Until official patches are available from NCSA, CIAC recommends the following
> -> temporary fix be installed. In the file httpd.h, change the string length
> -> definitions from:
> ->
> -> /* The default string lengths */
> -> #define MAX_STRING_LEN 256
> -> #define HUGE_STRING_LEN 8192
> ->
> -> to:
> ->
> -> /* The default string lengths */
> -> #define HUGE_STRING_LEN 8192
> -> #define MAX_STRING_LEN HUGE_STRING_LEN
> ->
> -> Then rebuild, install, and restart the new httpd server.
>
> This is a pathetic fix. Sure it will solve the problem for a short time until
> a clever hacker realises that all he/she has to do is overflow a larger
> buffer.
>
Pathetic fix? I would not go that far. I will definitely agree that this is
not "the" fix, but it _will_ (repeat, WILL) fix the problem until the
patches which do the bound checking (coming very soon, I might add). If you
can only read 8192 bytes from the socket (maximum, no ifs, ands, or buts
about it) and _all_ the buffers are 8192 in length, there is _no_ way to
overflow anything.
If you or someone else can prove me wrong, PLEASE do so!
It has also been brought up that making _all_ of the static variables 8192
bytes will break some unix boxes. If that is the case, I would suggest using
a "strncpy" with the size of the static variable (in this case 256) as the
max copy length...for the time being.
> I think I will opt for patching the source so that is does some sort of bound
> check on the buffer. At least until NCSA provides an official fix.
>
Just to reiterate, this is being worked on as I type.
> - Warren
>
> A Warren Pratten, Small Computer Support email: warren@csd.uwo.ca
> Department of Computer Science voice: +1 519 679 2111 x6880
> The University of Western Ontario fax: +1 519 661 3515
> London Ontario CANADA N6A 5B7 www: http://www.csd.uwo.ca/staff/warren
>
Scott Powers
P.S. I happen to be a developer for X Mosaic, not httpd, but I read this
mailing list avidly and try to keep abreast of security issues in general.
My point being, I'm not the server guy.
--
+---------------------------------------------------------------------------+
|"Sorry, not tonite honey....I have a modem." --Anonymous |
+---------------------------------------------------------------------------+
|spowers@shire.ncsa.uiuc.edu |
|Scott W. Powers, Research Programmer at the Software Development Group, |
|National Center for Supercomputing Applications |
+---------------------------------------------------------------------------+
|Cyber Doors: http://shire.ncsa.uiuc.edu |
|Terminal Guidance (MUD): telnet shire.ncsa.uiuc.edu 6969 |
+---------------------------------------------------------------------------+
