IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow

2009.05.24
Credit: Maksymilian Arciemowicz
Risk: High
Local: Yes
Remote: No
CVE: CVE-2009-1476
CWE: CWE-119


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

[ IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow ] Author: Maksymilian Arciemowicz Date: - - Dis.: 05.03.2009 - - Pub.: 22.05.2009 CVE: CVE-2009-1476 Risk: Low - --- 0.Description --- IPFilter is a software package that can be used to provide network address translation (NAT) or firewall services. To use, it can either be used as a loadable kernel module or incorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required. ippool - user interface to the IPFilter pools Ippool is used to manage information stored in the IP pools subsystem of IPFilter. Configuration file information may be parsed and loaded into the kernel, currently configured pools removed or changed as well as inspected. - --- 1. IPFilter (ippool) 4.1.31 lib/load_http.c buffer overflow --- The main problem exist in lib/load_http.c . Let's see lib/load_http.c ( char buffer[1024] ) - --- ... alist_t * load_http(char *url) { int fd, len, left, port, endhdr, removed; char *s, *t, *u, buffer[1024], *myurl; alist_t *a, *rtop, *rbot; struct sockaddr_in sin; struct hostent *host; /* * More than this would just be absurd. */ if (strlen(url) > 512) { fprintf(stderr, "load_http has a URL > 512 bytes?!\n"); return NULL; } fd = -1; rtop = NULL; rbot = NULL; sprintf(buffer, "GET %s HTTP/1.0\r\n", url); myurl = strdup(url); if (myurl == NULL) goto done; s = myurl + 7; /* http:// */ t = strchr(s, '/'); if (t == NULL) { fprintf(stderr, "load_http has a malformed URL '%s'\n", url); free(myurl); return NULL; } *t++ = '\0'; u = strchr(s, '@'); if (u != NULL) s = u + 1; /* AUTH */ sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); ... - --- 0. buffer[] have only 1024 bytes, 1. url can't have more than 512 bytes, 2. url will be copied into buffer here: sprintf(buffer, "GET %s HTTP/1.0\r\n", url); and here (s is a host) sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); so if the url have 512 = strlen(http:// A x504 /) then into buffer will be put strlen(GET HTTP/1.0\r\n) = 15 strlen(url) = 512 strlen(Host: \r\n\r\n)= 10 strlen(A x504) = 504 sum = 1041 bytes. Any use of this function is a potential risk. Programs such as "ippool" may be at risk. - --- 2. Fix --- NetBSD fix: http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?only_with_tag=MAIN - --- 4. Contact --- Author: Maksymilian Arciemowicz

References:

http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?only_with_tag=MAIN


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top