Date: Tue, 11 Dec 2001 09:00:57 -0800 (PST) From: FreeBSD Security Advisories <security-advisories@freebsd.org> To: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd Message-ID: <200112111700.fBBH0vM72097@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-01:66 Security Advisory
FreeBSD, Inc.
Topic: thttpd port contains remotely vulnerability
Category: ports
Module: thttpd
Announced: 2001-12-11
Credits: GOBBLES SECURITY
Affects: Ports collection prior to the correction date
Corrected: 2001-11-22 00:10:56 UTC
FreeBSD only: no
I. Background
thttpd is a simple, small, portable, fast, and secure HTTP server.
II. Problem Description
In auth_check(), there is an off-by-one error in computing the amount
of memory needed for storing a NUL terminated string. Specifically, a
stack buffer of 500 bytes is used to store a string of up to 501 bytes
including the terminating NUL.
III. Impact
Due to the location of the affected buffer on the stack, this bug
can be exploited using ``The poisoned NUL byte'' technique (see
references). A remote attacker can hijack the thttpd process,
obtaining whatever privileges it has. By default, the thttpd process
runs as user `nobody'.
IV. Workaround
1) Deinstall the thttpd port/package if you have it installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.22.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.22.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the thttpd port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.
Path Revision
- -------------------------------------------------------------------------
ports/www/thttpd/Makefile 1.23
ports/www/thttpd/distinfo 1.20
ports/www/thttpd/files/patch-fdwatch.c removed
- -------------------------------------------------------------------------
VII. References
<URL:http://www.securityfocus.com/archive/1/241310>;
<URL:http://www.securityfocus.com/archive/1/10884>;
-----BEGIN PGP SIGNATURE-----
Comment: http://www.nectar.cc/pgp
iQCVAwUBPBY6x1UuHi5z0oilAQEHrgQAgscqPT0AVJcotWgO1t8WuJQyNukLHnDS
qGa8LT7ebuMY/Nl6JJzTYudwmr16RtJNPSYTfk1eHPWgAYzKyiNM7uMU87ZDplpM
FOggQbjdhFPNUE3WK8P2cmdm+7mrZbdWGJmvZpYH4TRNn6yQVV4F8tENl+nPu3I+
5IGxGqgr2vA=
=1MCH
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112111700.fBBH0vM72097>