[3908] in bugtraq
not so false alarm: query cgi problem
daemon@ATHENA.MIT.EDU (Apropos of Nothing)
Fri Jan 10 22:18:50 1997
Date: Fri, 10 Jan 1997 18:03:30 -0500
Reply-To: Apropos of Nothing <apropos@sover.net>
From: Apropos of Nothing <apropos@sover.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
OK, if you were to find a server that does not observe the RFC standards
*AND* has changed their default maximum URL length they may be vulnerable.
For interest sake, Apache defines it's max URL length like this:
/* The default string lengths */
#define MAX_STRING_LEN HUGE_STRING_LEN
#define HUGE_STRING_LEN 8192
I should note that I haven't gone through the code to find out if the
server actually truncates the URL; I imagine it does- if it didn't it would
be susceptable to a fairly easy buffer overflow- but I digress... I don't
know how the NCSA server defines string lengths.
Anyway if you want to exploit the problem you'll have to send a good deal
of characters to the server... I've been told different string lengths by
different people.
tqbf@enteract.com says:
>You'll need to write 2,560,000 bytes just to write past the array of
>structures, assuming there are no alignment issues making each structure
>(or the array of structures) larger than that by some trivial amount.
while codewarrior@daemon.org thinks:
>you have to supply 1280000 bytes. ah, but you could cheat and just send
>stuff like >"a&a&a&a&a&a&a&a..." as the query string...hmm...okay. that
>cuts it to 21000 bytes.
he reasons that:
>the routine in question was breaking the posted data on "&" before breaking
>it on "=", so that way you'd only have to provide the overflow to the last
>on the 10000 query things...
I haven't had a chance to try this one out, so I don't know. However, if
you like to figure it out, here's the layout for the exploit:
http://www.server.com/cgi-bin/query?[questionable.buffer.string][shellcode]
Don't forget: [shellcode] isn't actually shell code, since just forking a
shell won't do you any good... you should end your shellcode with something
like /bin/cat%20/etc/passwd or /bin/bash%20-c%20cat%20/etc/passwd
Also: In a normal oveflow you put a / character in front of the assembly
command. When your overflowing from a cgi I *think* you use a % character
instead.
apropos of nothing
