hi again,
this one is old... ;-)
-------------------------------------------------
No System Group - Advisory #3 - 17/04/04
-------------------------------------------------
Program: Cherokee Web Server
Homepage: http://www.0x50.org
Vulnerable Versions: Cherokee 0.4.16 and prior
Risk: Low / Medium
Impact: Local Format String Vulnerability
-------------------------------------------------
- DESCRIPTION
-------------------------------------------------
Cherokee is a tiny, very fast, lightweight Web
server. It is implemented entirely in C, and has
no dependencies beyond a standard C library. It
is embeddable, extensible with plug-ins, and supports
on-the-fly configuration by reading files or strings.
More informations at: http://www.0x50.org
- DETAILS
-------------------------------------------------
Cherokee Web Server is affected by a format string
bug in the PRINT_ERROR() function to 66 lines of
common.c code:
--- common.c ---
55: void
56: PRINT_ERROR (const char *format, ...)
57: {
58: va_list arg_list;
59: CHEROKEE_TEMP(tmp, 2048);
60:
61: va_start(arg_list, format);
62: vsnprintf (tmp, tmp_size, format, arg_list);
63: va_end(arg_list);
64:
65: fprintf (stderr, "%s", tmp);
66: syslog (LOG_ERR, tmp); // The bug
67: }
--- common.c ---
We can show some parts of the stack memory by using a format string loke
this:
coki@servidor:~$ cherokee -C AAAA%08x
Can't read the configuration file: 'AAAA%08x'
coki@servidor:~$ tail -n 1 /var/log/syslog
Apr 17 15:03:25 servidor cherokee: Can't read the configuration file: 'AAAA0804b780'
coki@servidor:~$
---eof---
btw: the syslog looks like this:
Oct 6 18:23:21 leela lt-cherokee: Can't read the configuration file: '/usr/loca
l/etc/cherokee/cherokee.conf'
Oct 6 18:23:34 leela lt-cherokee: Can't read the configuration file: '0x804b81c
0xbffff754 0x276e6143 0x65722074 0x74206461'
uh, memory addresses...
patch is attached (from the advisory, looks good)
--- common.c ---
55: void
56: PRINT_ERROR (const char *format, ...)
57: {
58: va_list arg_list;
59: CHEROKEE_TEMP(tmp, 2048);
60:
61: va_start(arg_list, format);
62: vsnprintf (tmp, tmp_size, format, arg_list);
63: va_end(arg_list);
64:
<<< fprintf (stderr, "%s", tmp);
>>> syslog (LOG_ERR, "%s", tmp); /* oki ;-) */
67: }
--- common.c ---
i think, a version bump would be sufficient for this (0.4.17 already in portage)...
nevertheless, it affects a server package, so it needs attention...
best regards,
florian [rootshell]
Hmm I was confused by this one, thought it was remotely exploitable.
It's just local information leak of stack addresses, right ? If I understand this correctly, it cannot be exploited by itself. Should be fixed (and has been) but not generate GLSA.
Security, please confirm.
