Dear Developers,
I am a Computer Science Ph.D student at the Federal University of Campina
Grande - Brazil, advised by Rohit Gheyi. We are investigating weakness in
source code applied to configurable systems to identify if they may be a
vulnerability of the system.
We found in the commit history of BusyBox (commit 02affb4) the presence the
following code in the httpd.c file (Line 1006-1014):
#if ENABLE_FEATURE_HTTPD_RANGES
if (responseNum == HTTP_PARTIAL_CONTENT) {
len += sprintf(iobuf + len, "Content-Range: bytes
%"OFF_FMT"u-%"OFF_FMT"u/%"OFF_FMT"u\r\n",
range_start,
range_end,
file_size);
file_size = range_end - range_start + 1;
}
#endif
We understand that the resulting program may have vulnerabilities when the
macro "#if ENABLE_FEATURE_HTTPD_RANGES" is enabled, by the fact of
utilization that sprintf() function. Second the CWE Project, is the
classified by CWE-134, where the use this function that accepts a format
string as an argument, but the format string can originate from an external
source.
Still second the CWE Project, this vulnerability can cause consequences
related a with confidentiality, integrity and availability, like allow for
information disclosure which can severely simplify exploitation of the
program and the execution of arbitrary code.
We'd very grateful if you could say to us if are you understand this how a
vulnerability and if you have a motivation to correct.
Thanks and Regards,
--
Raphael de Carvalho Muniz, M.Sc.
Lattes: http://lattes.cnpq.br/1454914002384966
e-Mail: [email protected] / [email protected]
Fone: +55 84 98801 1218
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
