[Bug 61511] New: htdigest: one byte stack buffer overflow on malformed input file

Fri, 08 Sep 2017 09:27:07 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61511

            Bug ID: 61511
           Summary: htdigest: one byte stack buffer overflow on malformed
                    input file
           Product: Apache httpd-2
           Version: 2.4.27
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: support
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 35313
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35313&action=edit
poc file

The htdigest tool has a stack buffer overflow bug if you pass it an input file
with a long line. I'll attach a sample file (it simply consists of 766 times
"a".)

Usually I'd report this as a security vulnerability, but as it only affects a
rarely used command line tool I thought I can skip that. This bug was found
with afl.

When compiling with address sanitizer and passing that file (and any
realm/username) it will show the stack overflow:

==4285==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe5aa62f70 at pc 0x000000509cb6 bp 0x7ffe5aa623f0 sp 0x7ffe5aa623e8
WRITE of size 1 at 0x7ffe5aa62f70 thread T0
    #0 0x509cb5 in getword /f/apache/httpd-2.4.27/support/htdigest.c:83:17
    #1 0x509cb5 in main /f/apache/httpd-2.4.27/support/htdigest.c:264
    #2 0x7ff1e92cc520 in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.25-r4/work/glibc-2.25/csu/../csu/libc-start.c:295
    #3 0x419fa9 in _start (/r/apache/htdigest+0x419fa9)

Address 0x7ffe5aa62f70 is located in stack of thread T0 at offset 2928 in frame
    #0 0x5087af in main /f/apache/httpd-2.4.27/support/htdigest.c:187

  This frame has 13 object(s):
    [32, 33) 'ch.i'
    [48, 52) 'argc.addr'
    [64, 72) 'argv.addr'
    [96, 104) 'f'
    [128, 132) 'rv'
    [144, 164) 'tn'
    [208, 216) 'dirname'
    [240, 496) 'user'
    [560, 816) 'realm'
    [880, 1648) 'line'
    [1776, 2544) 'l'
    [2672, 2928) 'w' <== Memory access at offset 2928 overflows this variable
    [2992, 3248) 'x'

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to