AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
BID:13066
Info
AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
| Bugtraq ID: | 13066 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2005-1086 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 08 2005 12:00AM |
| Updated: | Jul 12 2009 12:56PM |
| Credit: | Discovery is credited to Tan Chew Keong. |
| Vulnerable: |
AN AN-HTTPd 1.42 n |
| Not Vulnerable: | |
Discussion
AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
AN HTTPD is reported prone to a remote buffer overflow vulnerability.
Specifically, the issue presents itself in 'cmdIS.DLL' which calls the 'GetEnvironmentStrings' function to copy environment variables into a finite sized process buffer.
The attacker can issue a malformed HTTP GET command including excessive data as a value for an affected HTTP header to trigger the overflow. This can lead to arbitrary code execution, allowing the attacker to gain unauthorized access in the context of the Web server.
AN HTTPD 1.42n is reported vulnerable, however, it is possible that other versions are affected as well.
AN HTTPD is reported prone to a remote buffer overflow vulnerability.
Specifically, the issue presents itself in 'cmdIS.DLL' which calls the 'GetEnvironmentStrings' function to copy environment variables into a finite sized process buffer.
The attacker can issue a malformed HTTP GET command including excessive data as a value for an affected HTTP header to trigger the overflow. This can lead to arbitrary code execution, allowing the attacker to gain unauthorized access in the context of the Web server.
AN HTTPD 1.42n is reported vulnerable, however, it is possible that other versions are affected as well.
Exploit / POC
AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
The following proof of concept is available:
GET /scripts/cmdIS.dll/cgi-bin/test.bat HTTP/1.0
user-agent: aaaaaaaaaaaaaaaaaaaaaa [approx 8300 characters] aaaaaaaaaaaaaaaaaaaa...
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
The following proof of concept is available:
GET /scripts/cmdIS.dll/cgi-bin/test.bat HTTP/1.0
user-agent: aaaaaaaaaaaaaaaaaaaaaa [approx 8300 characters] aaaaaaaaaaaaaaaaaaaa...
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability
References:
References: