[3889] in bugtraq
Buffer overflow in the query cgi.
daemon@ATHENA.MIT.EDU (Apropos of Nothing)
Sun Jan 5 00:41:38 1997
Date: Sat, 4 Jan 1997 23:29:00 -0500
Reply-To: Apropos of Nothing <apropos@sover.net>
From: Apropos of Nothing <apropos@sover.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
The cgi script 'query' has a buffer overflow problem. Let's look at the code:
typedef struct {
char name[128];
char val[128];
} entry;
...
main(int argc, char *argv[]) {
entry entries[10000];
register int x,m=0;
char *cl;
cl = getenv("QUERY_STRING");
for(x=0;cl[0] != '\0';x++) {
m=x;
getword(entries[x].val,cl,'&');
plustospace(entries[x].val);
unescape_url(entries[x].val);
getword(entries[x].name,entries[x].val,'=');
}
And recall what Aleph1 pointed out about 'getword':
void getword(char *word, char *line, char stop) {
int x = 0,y;
for(x=0;((line[x]) && (line[x] != stop));x++)
word[x] = line[x];
word[x] = '\0';
if(line[x]) ++x;
y=0;
while(line[y++] = line[x++]);
}
>As you can see it does no bounds checking.
OK, so looking up at query.c again we see that it copies cl (the query
string) into entries[x].val (a 128 byte char) with getword... and you know
what that means!
My buffer overflow skills aren't very good, so I'd like to see if anyone
else can exploit this. It should be pretty easy since all you have to do
is supply 128 bytes, then enough code to get up to the stack and overwrite
it, all in the query string.
apropos of nothing
