Bug 143080 - CAN-2004-1261 Bernstein class reports buffer overflow in asp2php
CAN-2004-1261 Bernstein class reports buffer overflow in asp2php
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: asp2php (Show other bugs)
2.1
All Linux
medium Severity low
: ---
: ---
Assigned To: Joe Orton
Brian Brock
impact=low,public=20041215
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-16 08:07 EST by Josh Bressers
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-02 14:37:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-12-16 08:07:31 EST
http://tigger.uic.edu/~jlongs2/holes/asp2php.txt

--

Qiao Zhang, a student in my Fall 2004 UNIX Security Holes course, has
discovered two remotely exploitable security holes in asp2php. I'm
publishing this notice, but all the discovery credits should be assigned
to Zhang.

You are at risk if you take an ASP script from an email message (or a
web page or any other source that could be controlled by an attacker)
and feed that script through asp2php. (The asp2php documentation does
not tell users to avoid taking input from the network.) Whoever provides
that script then has complete control over your account: she can read
and modify your files, watch the programs you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, type

   wget http://downloads.mikekohn.net/asp2php/asp2php-0.76.23.tar.gz
   gunzip < asp2php-0.76.23.tar.gz | tar -xf -
   cd asp2php-0.76.23
   make

to download and compile the asp2php program, version 0.76.23 (current).
Then save the file 29-1.asp attached to this message, and type

   ./asp2php 29-1.asp

with the unauthorized result that a file named EXPLOITED is created in
the current directory. 29-2.asp is similar but uses a separate buffer
overflow. (I tested these with a 541-byte environment, as reported by
printenv | wc -c.)

Both buffer overflows can be blamed on gettoken(), which has a
fundamentally broken gets()-style API. The preparse() function calls
gettoken() to read data into a 1024-byte token[] array, and to read data
into a 1024-byte temp[] array.
Comment 3 Joe Orton 2005-03-02 14:37:14 EST
Marking as WONTFIX; asp2php is not safe to run on "untrusted" input
code and requires a redesign to fix that.  The package has been
dropped from releases of Red Hat Enterprise Linux from v3 onwards.

Note You need to log in before you can comment on or make changes to this bug.