Setting Up the Bug
MnoGoSearch
for Unix is an open source search engine
software project. The primary interface to search the backend
metadata is the C program
search.cgi. In August 2003, a stack-based buffer
overflow was discovered in version 3.1.20 of the CGI program when
handling an overly large value for the wf
GET
parameter. By examining some of the affected code snippets from the
search.c source code file, we can study the
origin of the problem. In the interest of saving space,
we’ve removed the irrelevant lines and put in line
numbers for cross-referencing the original source code.
544 static int PrintOneTemplate(UDM_AGENT * Agent,UDM_DOCUMENT * Doc,char * Target,char *s,int where,int ntempl){ ... 902 if(!strncmp(s,"wf",2)){ 903 sprintf(UDM_STREND(Target),"%s",wf?wf:""); 904 s++; 905 }else
The UDM_STREND
macro finds the end of the
string—in this case, Target
—which is
one of the function’s parameters. Then the
wf
buffer—which comes directly from
user-controllable input—is appended to the end of the
Target
buffer using the sprintf( )
nonbounds checking function. A
stack-based buffer overflow can occur when Target
is a static-size character buffer declared on the stack. Reviewing
the rest of the source code reveals an instance of the ideal
conditions for exploitation:
1125 static int PrintOption(UDM_AGENT * Agent,char * Target,int where,char * option){ 1126 UDM_TAG tag; 1127 char *s; 1128 int len; 1129 char tmp[UDMSTRSIZ]=""; ... 1142 PrintOneTemplate(Agent,NULL,tmp,option,where,0); ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.