SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BOOZT! Vendors:   Solutions 4u Ltd.
BOOZT! Banner Management System Lets Remote Administrators Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1003127
SecurityTracker URL:  http://securitytracker.com/id/1003127
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 6 2002
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.9.8alpha; possibly other versions
Description:   A vulnerability was reported in the BOOZT! banner management system. A remote administrator can execute arbitrary code on the server.

It is reported that the BOOZT! administrative interface lets a remote user with a valid administrator account execute arbitrary code on the server with the privileges of the web server.

The flaw reporteldy resides in src/admin/banners.c where no bounds checking is performed when the value of GetFromCgi() is copied into the char name[255] variable.

A demonstration exploit method is provided:

http://[targethost]:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1

Fill the "Name Field" with enough A's (770 was reported to be enough) and then press "Create New Banner" to trigger the vulnerability.

Impact:   A remote user with an administrative account on the banner management system can execute arbitrary code on the server with the privileges of the web server daemon.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.boozt.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: BOOZT! Banner Management System Lets Remote Administrators Execute Arbitrary Code on the Server
This is a follow-up message.



 Source Message Contents

Subject:  BOOZT! Standard 's administration cgi vulnerable to buffer overflow




BOOZT! is a banner management software for linux servers. It has a remote 
administration system based on web. I played with version 0.9.8alpha.


Here is a reproduction of the bug:

        http://127.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1

Fill the "Name Field" with enough A's (770 was be fine for me). Press "Create 
New Banner". It should show this:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable 
to complete your request.

Let's see what happened in error_log:

[Tue Feb  5 17:13:52 2002] [error] [client 127.0.0.1] Premature end of script 
headers: /usr/local/apache/cgi-bin/boozt/admin/index.cgi

Now see what the code for the AdministrationBanners function 
(src/admin/banners.c) looks like:

         char name[255]="";

         [...]

        if ((pomus=(char *)GetFromCgi("name"))==NULL)  strcpy(name,"");
        else strcpy(name,pomus);

There is no boundary checking in GetFromCgi:

        #define GetFromCgi(name) cgiParam(name)

        const char *cgiParam(const char *name)
        {
         return cgiPosParam((CgiPos*)listGetByName(name));
        }

        const char *cgiPosParam(CgiPos *where)
        {
         CgiElement *w=(CgiElement*)where;
         DefCheck(NULL);

         [ ... code to walk over the linked list ... ]
        }

This way we can write A's (or shellcode) beyond the boundaries of the "name" 
variable, making the cgi crash (or give us a shell with httpd privileges).


                                                                              
                                        Rafael San Miguel
Carrasco                                                                             
                                 
rsanmcar@alum.uax.es

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC