Re: wwwcount remote exploit (@ Solaris)
Jan Wedekind (Jan.Wedekind@DE.UU.NET)
Fri, 17 Oct 1997 11:19:14 +0200
Hello all,
with Solaris (and all other systems which don't support setenv(2))
you have to use putenv(2) instead of setenv.
The modified patch is applied below.
> Program: Count.cgi (wwwcount), a popular CGI web counter
>
> Version: Tested on 2.3, others probably affected as well (?)
>
> OS: All
>
> Impact: a buffer can be overflowed in the Count.cgi program,
> allowing remote http users to execute arbitrary commands
> on the target machine.
>
> [...]
>
> The actual fix is pretty simple. Apply the following patch to the
> file main.c. Environment variables will be cutted down to their first
> 600 chars. The idea of this patch can also be adapted for other
> purposes, mainly to develop a generic cgi-bin wraper.
>
Patch for Solaris and other OS with putenv(); also add -DHAVE_PUTENV
in the Makefile of wwwcount 2.3:
58a59,80
> void wrapit(char *envvar,int esize)
> {
> char *tmp,*tmp2;
> tmp=malloc(esize+strlen(envvar)+2);
> if(tmp==NULL)
> {
> Debug2("Can't allocate wrapper memory buffer.",0,0);
> exit(1);
> }
> #ifdef HAVE_PUTENV
> strcpy(tmp, envvar);
> strcat(tmp, "=");
> strncat(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
> tmp[strlen(envvar)+1+esize]='\0';
> putenv(tmp);
> #else
> strncpy(tmp,(tmp2=getenv(envvar))?tmp2:"",esize-1);
> tmp[esize]='\0';
> setenv(envvar,tmp,1);
> #endif
> }
>
89c111
< char
---
> char
185a208,213
> /*
> * avoid any buffer overflow problem by cutting some env variables
> */
> wrapit("QUERY_STRING",600);
> wrapit("HTTP_REFERER",600);
> wrapit("HTTP_USER_AGENT",600);
Mit freundlichen Grüßen / best regards,
UUNET Deutschland GmbH
Jan Wedekind
(Dipl.-Informatiker)
Web Competence Center UUNET Deutschland GmbH
Tel. +49 231 972 2280 Emil-Figge-Straße 80
Fax. +49 231 972 1180 44227 Dortmund, Germany
Jan.Wedekind@de.uu.net URL: http://www.uunet.de