[5405] in bugtraq

home help back first fref pref prev next nref lref last post

Re: wwwcount remote exploit (@ Solaris)

daemon@ATHENA.MIT.EDU (Jan Wedekind)
Fri Oct 17 12:33:59 1997

Date: 	Fri, 17 Oct 1997 11:19:14 +0200
Reply-To: Jan.Wedekind@DE.UU.NET
From: Jan Wedekind <Jan.Wedekind@DE.UU.NET>
X-To:         dube0866@eurobretagne.fr
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  Your message of "Thu, 16 Oct 1997 20:23:42 +0200." 
              <199710161823.UAA00363@plaguez.plaguez.COM>

Hello all,

with Solaris (and all other systems which don't support setenv(2))
you have to use putenv(2) instead of setenv.
The modified patch is applied below.

> Program:   Count.cgi (wwwcount), a popular CGI web counter
>
> Version:   Tested on 2.3, others probably affected as well (?)
>
> OS:        All
>
> Impact:    a buffer can be overflowed in the Count.cgi program,
>            allowing remote http users to execute arbitrary commands
>            on the target machine.
>
> [...]
>

> The actual fix is pretty simple. Apply the following patch to the
> file main.c. Environment variables will be cutted down to their first
> 600 chars. The idea of this patch can also be adapted for other
> purposes, mainly to develop a generic cgi-bin wraper.
>

Patch for Solaris and other OS with putenv(); also add -DHAVE_PUTENV
in the Makefile of wwwcount 2.3:

58a59,80
> void wrapit(char *envvar,int esize)
> {
>    char *tmp,*tmp2;
>    tmp=malloc(esize+strlen(envvar)+2);
>    if(tmp==NULL)
>      {
>       Debug2("Can't allocate wrapper memory buffer.",0,0);
>       exit(1);
>      }
> #ifdef HAVE_PUTENV
>    strcpy(tmp, envvar);
>    strcat(tmp, "=");
>    strncat(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
>    tmp[strlen(envvar)+1+esize]='\0';
>    putenv(tmp);
> #else
>    strncpy(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
>    tmp[esize]='\0';
>    setenv(envvar,tmp,1);
> #endif
> }
>
89c111
<     char
---
>    char
185a208,213
>    /*
>     * avoid any buffer overflow problem by cutting some env variables
>     */
>    wrapit("QUERY_STRING",600);
>    wrapit("HTTP_REFERER",600);
>    wrapit("HTTP_USER_AGENT",600);


Mit freundlichen Gr|_en / best regards,

UUNET Deutschland GmbH
Jan Wedekind
(Dipl.-Informatiker)

Web Competence Center             UUNET Deutschland GmbH
Tel. +49 231 972 2280             Emil-Figge-Stra_e 80
Fax. +49 231 972 1180             44227 Dortmund, Germany
Jan.Wedekind@de.uu.net            URL: http://www.uunet.de
home help back first fref pref prev next nref lref last post