Synopsis: Apache 1.3.37 htpasswd buffer overflow vulnerability<br>Version: 1.3.37 (latest 1.3.xx)<br><br>Product<br>=======<br>Apache htpasswd utility<br><br>Issue<br>=====<br>A buffer overflow vilnerability has been found, it is dangerous only on
<br>environment where the binary is suid root.<br><br>Details<br>=======<br>Incorrect validation on the size of user input allows to copy a string, via<br>strcpy, to a fixed size buffer.<br>File: htpasswd.c, Line 421.<br>
<br>Solution<br>========<br>Apply this patch to htpasswd.c<br><br>-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;-----8&lt;--<br><br>&nbsp; 415,419c415,420<br>&nbsp; &lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (strlen(argv[i + 1]) &gt; (sizeof(user) - 1)) {
<br>&nbsp; &lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fprintf(stderr, &quot;%s: username too long (&gt;%lu)\n&quot;, argv[0],<br>&nbsp; &lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (unsigned long)(sizeof(user) - 1));<br>&nbsp; &lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return ERR_OVERFLOW;<br>&nbsp; &lt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp; ---
<br>&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp; if (strlen(argv[i + 1]) &gt; (sizeof(user) - 1)) {<br>&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fprintf(stderr, &quot;%s: username too long (&gt;%lu)\n&quot;, argv[0],<br>&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (unsigned long)(sizeof(user) - 1));
<br>&nbsp; &gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return ERR_OVERFLOW;<br>&nbsp; &gt;<br>---&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----&gt;8-----<br><br>Affected Versions<br>==================<br>1.3.37
 - <a href="http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz">http://www.apache.org/dist/httpd/apache_1.3.37.tar.gz</a><br><br>Notes &amp; References<br>==================<br>Another similar bug was discovered by Luiz Fernando [1], a patch was written 
<br>by&nbsp; Larry Cashdollar wich also fixed the bug i&#39;m posting, but it seems not to be<br>&nbsp;applied on the latest versions of apache 1.3.xx.<br><br>Michael Engert submitted another patch[1] which also fixed this bug and filled
<br>out a bug report [1], but it wasn&#39;t applied.<br><br>Have a look at Other posts[3][4] on this (and similar) issues.<br><br>A bug report[5] on this issue was filled out.<br><br>Credits<br>=======<br>Matias S. Soler - gnuler [at] gmail [dot] com
<br>Luiz Fernando<br>Michael Engert<br><br><br>1 - <a href="http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html">http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html</a><br>2 - <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=31975">
http://issues.apache.org/bugzilla/show_bug.cgi?id=31975</a><br>3 - <a href="http://seclists.org/bugtraq/2004/Oct/0359.html">http://seclists.org/bugtraq/2004/Oct/0359.html</a><br>4 - <a href="http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html">
http://www.security-express.com/archives/fulldisclosure/2004-10/1117.html</a><br>5 - <a href="http://issues.apache.org/bugzilla/show_bug.cgi?id=41279">http://issues.apache.org/bugzilla/show_bug.cgi?id=41279</a><br clear="all">
<br>-- <br>Matias S. Soler<br>