xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

atphttpd存在缓冲溢出漏洞


发布时间:2002-07-15
更新时间:2002-07-15
严重程度:
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:服务器模式

BUGTRAQ ID:5215

受影响系统
Yann Ramin ATPhttpd 0.4 b
详细描述
atphttpd是一款高性能的WEB服务程序。

其中存在多个远程缓冲溢出,包括普通的缓冲溢出和OFF-BY-ONE溢出,攻击者可以利用这些漏洞执行代码。

没有详细技术细节。

测试代码


解决方案
使用补丁:

==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c    Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c    Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
     (void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n",
status, title, status, title );
     sock_puts(hc[listnum].socket, buffer);

- -    (void) sprintf(buffer, "The following error occurred while trying to examine the garbage
that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
+    snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine
the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text);
     sock_puts(hc[listnum].socket, buffer);

     (void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the
trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n",
SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c    Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c    Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
          }
  }

- - void deal_with_data(int listnum) {
- -         char buffer[MAX_BUFFER];     /* Buffer for socket reads */
- -//         char *cur_char;      /* Used in processing buffer */
- -         char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- -         if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+    char buffer[MAX_BUFFER];
+    char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];

+    if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
                  close(hc[listnum].socket);
                  hc[listnum].socket = 0;
          } else {
@@ -155,7 +153,7 @@
                                *                                                              *
                                * Right now it is very dumb, and only checks for a get header   *
                                * Improvements? */
- -                 sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+        sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
                  if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0)
{
                                        strcpy(hc[listnum].path, path);
                                        
==8< atphttpd-0.4b.patch 8<==

相关信息
qitest1 <qitest1@bespin.org>.
参考:http://online.securityfocus.com/archive/1/281926
相关主页:http://www.redshift.com/~yramin/atp/atphttpd/
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved