Apache "htdigest" Buffer Overflow ------------------------------------------------------------------------ SUMMARY htdigest is "a utility included with Apache Web Server, useful to create and update usernames, realms and passwords for digest authentication of HTTP users". Due improper testing of bounds by the htdigest program, an attacker that is able to invoke the program can cause it to execute arbitrary code. DETAILS The htdigest program does not perform any bounds checking when it copies the "user" and "realm" supplied as arguments to htdigest into local buffers. Therefore by sending an overly long buffer, an attacker can trigger a buffer overflow in the program. This overflow can be exploited to cause htdigest to execute arbitrary code. This issue can become serious if htdigest is called from a CGI script available to remote users. Proof of Concept: # pwd /root/httpd-2.0.52/support # ./htdigest -c file `perl -e 'print "A" x 9999'` user Adding password for user in realm AAAAAAAAAAAAAAAAA.............AAAAA New password: Re-type new password: Segmentation fault ADDITIONAL INFORMATION The information has been provided by <mailto:luca.ercoli@inwind.it> Luca Ercoli.
I'm not sure the severity on this one, but the htdigest2 utility is vulnerable as well. Apache herd, please verify/advise.
This should be filed upstream. Severity is pretty low, unless people write PHP/CGI scripts that make htdigest available to external users. However, these scripts should likely do their own input validation.