BOOZT! Banner Management System Lets Remote Administrators Execute Arbitrary Code on the Server
SecurityTracker Alert ID: 1003127|
SecurityTracker URL: http://securitytracker.com/id/1003127
(Links to External Site)
Date: Jan 6 2002
Execution of arbitrary code via network, User access via network|
Version(s): 0.9.8alpha; possibly other versions|
A vulnerability was reported in the BOOZT! banner management system. A remote administrator can execute arbitrary code on the server.|
It is reported that the BOOZT! administrative interface lets a remote user with a valid administrator account execute arbitrary code on the server with the privileges of the web server.
The flaw reporteldy resides in src/admin/banners.c where no bounds checking is performed when the value of GetFromCgi() is copied into the char name variable.
A demonstration exploit method is provided:
Fill the "Name Field" with enough A's (770 was reported to be enough) and then press "Create New Banner" to trigger the vulnerability.
A remote user with an administrative account on the banner management system can execute arbitrary code on the server with the privileges of the web server daemon.|
No solution was available at the time of this entry.|
Vendor URL: www.boozt.com/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: BOOZT! Standard 's administration cgi vulnerable to buffer overflow|
BOOZT! is a banner management software for linux servers. It has a remote
administration system based on web. I played with version 0.9.8alpha.
Here is a reproduction of the bug:
Fill the "Name Field" with enough A's (770 was be fine for me). Press "Create
New Banner". It should show this:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable
to complete your request.
Let's see what happened in error_log:
[Tue Feb 5 17:13:52 2002] [error] [client 127.0.0.1] Premature end of script
Now see what the code for the AdministrationBanners function
(src/admin/banners.c) looks like:
if ((pomus=(char *)GetFromCgi("name"))==NULL) strcpy(name,"");
There is no boundary checking in GetFromCgi:
#define GetFromCgi(name) cgiParam(name)
const char *cgiParam(const char *name)
const char *cgiPosParam(CgiPos *where)
[ ... code to walk over the linked list ... ]
This way we can write A's (or shellcode) beyond the boundaries of the "name"
variable, making the cgi crash (or give us a shell with httpd privileges).
Rafael San Miguel