SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   SHTTPD Vendors:   shttpd.sourceforge.net
SHTTPD Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017088
SecurityTracker URL:  http://securitytracker.com/id/1017088
CVE Reference:   CVE-2006-5216   (Links to External Site)
Date:  Oct 19 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.34
Description:   A vulnerability was reported in SHTTPD. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted URL to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

Donnie Werner of Exploitlabs and sk0de separately discovered this vulnerability.

A demonstration exploit by sk0de is available at:

http://www.milw0rm.com/exploits/2482

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (1.35), available at:

http://sourceforge.net/project/showfiles.php?group_id=126090

Vendor URL:  shttpd.sourceforge.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] shttpd long get request vuln ( retro )

This is a multi-part message in MIME format.

------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit

see attatched retro advisory
------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; format=flowed; name="EXPL-A-2006-005-shttpd.txt";
	reply-type=original
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="EXPL-A-2006-005-shttpd.txt"

------------------------------------------------------------
   - EXPL-A-2006-005 exploitlabs.com Retro Advisory 002 -
------------------------------------------------------------
                      - SHTTPD -







AFFECTED PRODUCTS
=================
SHTTPD < v1.34
http://shttpd.sourceforge.net/



OVERVIEW
========
"SHTTPD is a lightweight web server. The main design
goals are the ease of use  and the ability to embed.
Ideal for personal use, web-based software demos 
(like PHP, Perl etc), quick file sharing.
 A care has been taken to make the code secure"



RETRO-RELEASE DATE:
===================
Oct 10, 2005

Duplicate Release: Oct 06, 2006 
by: sk0de
http://secunia.com/advisories/22294/



DETAILS
=======
SHTTPD is vulnerable to an overly long GET request.

 

SOLUTION
========
patch: Upgrade to v1.35



PROOF OF CONCEPT
================
1.start SHTTPD

2.send an overly long GET request

http://[host]/Ax274 chars ( v1.27 - v1.30 )
http://[host]/Ax256 chars ( v1.34 )
v1.31-v1.33 untested

2a.
PoC by Sk0de
http://www.milw0rm.com/exploits/2482



CREDITS
=======
"sk0de - http://secunia.com/advisories/22294/ "



RETRO-CREDITS
=============
This vulnerability was discovered and researched by 
Donnie Werner of Exploitlabs. At the original time
of discovery and retro-release date, the author was
not aware of any other advisories or research by 3rd parties.


Donnie Werner
wood@exploitlabs.com
morning_wood@zone-h.org

-- 
web:	http://exploitlabs.com

http://exploitlabs.com/files/advisories/EXPL-A-2006-005-shttpd.txt
------=_NextPart_000_0176_01C6F24C.40D3DAA0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
------=_NextPart_000_0176_01C6F24C.40D3DAA0--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC