xorl %eax, %eax

Zervit HTTPd Remote Buffer Overflow

with 10 comments

I just saw this email where “e.wiZz!” reports a remotely explotable vulnerability on a not-so-famous web server named Zervit. He states that he found that using a fuzzer. It’s not uncommon that fuzzers can locate some pretty exotic bugs so I decided to spend a couple of minutes and write this post… By the way, this is fixed in the 0.03 release of that web server. Anyway, here is the bug:

http.h:
69 struct http_data{
70         SOCKET sck;
71         char file[512];
72         char keep_alive;
73         char data[2048];
74         char user_agent[512];
75         unsigned long ptr;
76 };


http.c:
13 void parse_http(struct http_data *msgs)
14 {
    ...
21                 if(strcmp(ch,"GET")==0){
    ...
24                         ch=get_word(msgs);
25                         strcpy(msgs->file,ch);

No comment… seriously, using a fuzzer to find this… man…

Written by xorl

April 21, 2009 at 13:36

Posted in bugs

10 Responses

Subscribe to comments with RSS.

  1. Is it really fixed in 0.03? It look exactly the same.

    W.

    W.

    April 21, 2009 at 19:24

  2. I didn’t even look at 0.03 source code. This is just a pet project, I don’t think that it matters whether it’s vulnerable or not.
    I doubt that there is even a single person out there using that HTTPd. If it’s the same then 0.03 is vulnerable too.

    The whole point of this post was sarcasm for people using fuzzers to find strcpy() overflows in 2009!!!
    btw, you don’t even need a fuzzer, people used to find those bugs using grep :-P

    xorl

    April 21, 2009 at 19:57

  3. that’s true :)

    W.

    April 21, 2009 at 20:05

  4. http://balcansecurity.com/staticpages/index.php/ServMeNot
    that`s the fuzzer, lol , first web server fuzzer ?
    somebody just left the cave?

    good thing it wasn`t a gets() BOF :)

    btw , nice site xorl !

    ea

    April 22, 2009 at 20:33

  5. lol @ fuzzer!
    Also, thanks for your comment, I really appreciate it.

    xorl

    April 22, 2009 at 22:21

  6. lol,i think that you are really stupid guy….
    that “e.wiZz!” maybe didn’t watched source,maybe he do it for fun,you cant understund it i think

    d

    July 1, 2009 at 13:11

  7. you are stupid,at that code you put,isnt bug,lol stop acting like hacker,you are gay :)

    r00t

    July 1, 2009 at 13:12

  8. haha! To clarify here… “d” and “r00t” posted from the same dynamic IP. So, Either one of you is owned, or you’re living together and using the same connection or… you’re the exact same person.

    P.S.: OF COURSE I’M NOT A HACKER!!! If you had ever meet one you wouldn’t use that word so easily.

    xorl

    July 1, 2009 at 21:24

  9. Well, that bug has been fixed in 0.03, if you dont understand C please dont say that “it looks the same”. The problem was not very good described, it is not srtcpy, it is the static variable, now it is malloced with the right size before being strcpyed.
    I dont have much time to develop Zervit but i try to fix “security” bugs when they are discovered. I work with security and i know that in these times is easier to find bugs than develop secure code. This project started for an office that was needing a “easy file sharing tool” and after that i hosted it on sourceforge (maybe someone find it useful). But now it is my responsability to maintain an almost-secure software for the people that use it.

    Nice blog, very good information.

    seba

    July 5, 2009 at 20:01

  10. LoL,i just tried to promote my fuzzer :) And i do it for fun,not for money(idefense,zdi)…you cant understund it i think :)
    anyway,best wishes
    e.wiZz!

    e.wiZz!

    August 2, 2009 at 22:09


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s