SHTTPD Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017088 |
|
SecurityTracker URL: http://securitytracker.com/id/1017088
|
|
CVE Reference:
CVE-2006-5216
(Links to External Site)
|
Date: Oct 19 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 1.34
|
Description:
A vulnerability was reported in SHTTPD. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted URL to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.
Donnie Werner of Exploitlabs and sk0de separately discovered this vulnerability.
A demonstration exploit by sk0de is available at:
http://www.milw0rm.com/exploits/2482
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
The vendor has issued a fixed version (1.35), available at:
http://sourceforge.net/project/showfiles.php?group_id=126090
|
Vendor URL: shttpd.sourceforge.net/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: [Full-disclosure] shttpd long get request vuln ( retro )
|
This is a multi-part message in MIME format.
------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
see attatched retro advisory
------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; format=flowed; name="EXPL-A-2006-005-shttpd.txt";
reply-type=original
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="EXPL-A-2006-005-shttpd.txt"
------------------------------------------------------------
- EXPL-A-2006-005 exploitlabs.com Retro Advisory 002 -
------------------------------------------------------------
- SHTTPD -
AFFECTED PRODUCTS
=================
SHTTPD < v1.34
http://shttpd.sourceforge.net/
OVERVIEW
========
"SHTTPD is a lightweight web server. The main design
goals are the ease of use and the ability to embed.
Ideal for personal use, web-based software demos
(like PHP, Perl etc), quick file sharing.
A care has been taken to make the code secure"
RETRO-RELEASE DATE:
===================
Oct 10, 2005
Duplicate Release: Oct 06, 2006
by: sk0de
http://secunia.com/advisories/22294/
DETAILS
=======
SHTTPD is vulnerable to an overly long GET request.
SOLUTION
========
patch: Upgrade to v1.35
PROOF OF CONCEPT
================
1.start SHTTPD
2.send an overly long GET request
http://[host]/Ax274 chars ( v1.27 - v1.30 )
http://[host]/Ax256 chars ( v1.34 )
v1.31-v1.33 untested
2a.
PoC by Sk0de
http://www.milw0rm.com/exploits/2482
CREDITS
=======
"sk0de - http://secunia.com/advisories/22294/ "
RETRO-CREDITS
=============
This vulnerability was discovered and researched by
Donnie Werner of Exploitlabs. At the original time
of discovery and retro-release date, the author was
not aware of any other advisories or research by 3rd parties.
Donnie Werner
wood@exploitlabs.com
morning_wood@zone-h.org
--
web: http://exploitlabs.com
http://exploitlabs.com/files/advisories/EXPL-A-2006-005-shttpd.txt
------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------=_NextPart_000_0176_01C6F24C.40D3DAA0--
|
|
