Advisory: CoreHTTP web server off-by-one buffer overflow vulnerability
Note: The original advisory can be found here.
|Affected products:||CoreHTTP web server versions ≤ 0.5.3.1|
|Class:||Improper Input Validation (CWE-20), Failure to Constrain Operations within Bounds (CWE-119)|
|Discovered by:||Patroklos Argyroudis|
We have discovered a remotely exploitable “improper input validation” vulnerability in the CoreHTTP web server that leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.
CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input
validation method for handling HTTP requests with invalid method names and
URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the
sscanf() call at file
src/http.c line numbers 45 and 46:
url are declared to be of size 256 bytes (
sscanf() call writes 256 bytes (
PATHSIZE_S) to these buffers
without NULL terminating them.
Note that this is not vulnerability
which the same
sscanf() call contained no bounds check at all.
This vulnerability can lead to denial of service attacks against the CoreHTTP web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server. We have developed a proof-of-concept exploit to demonstrate the vulnerability.
To address the problem we propose the following unofficial patch (download it from here), since CoreHTTP’s author has not released an official fix yet: