Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability

To: Mike Muuss <mike@arl.mil">mike@arl.mil>, www-security@ns2.rutgers.edu
Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
From: cvarela@ncsa.uiuc.edu (Carlos A. Varela)
Date: Thu, 16 Feb 1995 04:34:29 -0600
Cc: httpd@ncsa.uiuc.edu
In-Reply-To: Mike Muuss <mike@arl.mil> 'Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability' (Feb 15, 22:09)
Reply-To: www-security@ns2.rutgers.edu

On Feb 15, 22:09, Mike Muuss wrote:
| --- Subject: Re: CIAC Advisory F-11 Report: Unix NCSA httpd Vulnerability
| 
| A Warren Pratten wrote -
| 
| > -> Until official patches are available from NCSA, CIAC recommends the following
| > -> temporary fix be installed.  In the file httpd.h, change the string length
| > -> definitions from:
| > -> 
| > ->       /* The default string lengths */
| > ->       #define MAX_STRING_LEN 256
| > ->       #define HUGE_STRING_LEN 8192
| > -> 
| > -> to:
| > -> 
| > ->       /* The default string lengths */
| > ->       #define HUGE_STRING_LEN 8192
| > ->       #define MAX_STRING_LEN  HUGE_STRING_LEN
| > -> 
| > -> Then rebuild, install, and restart the new httpd server.
| > 
| > This is a pathetic fix.  Sure it will solve the problem for a short time until
| > a clever hacker realises that all he/she has to do is overflow a larger
| > buffer.  
| 
| The quick fix that I applied is as follows:
| 
| *** util.c.SECURITY_BUG Sat May  7 22:47:15 1994
| --- util.c      Tue Feb 14 03:54:27 1995
| ***************
| *** 160,166 ****
|   {
|       char tmp[MAX_STRING_LEN];
|   
| !     strcpy(tmp,&dest[start]);
|       strcpy(dest,src);
|       strcpy(&dest[strlen(src)],tmp);
|   }
| --- 160,168 ----
|   {
|       char tmp[MAX_STRING_LEN];
|   
| ! /*    strcpy(tmp,&dest[start]);       */      /* MJM - ARL: security bug */
| !     strncpy(tmp,&dest[start], sizeof(tmp)-1);
| !     tmp[MAX_STRING_LEN-1] = '\0';     /* MJM - ARL */
|       strcpy(dest,src);
|       strcpy(&dest[strlen(src)],tmp);
|   }
| 
| 
| 	Best,
| 	 -Mike
| ---

This is not a good fix, since there may be arguments to substrfirst
with length longer than MAX_STRING_LEN, which would get truncated.

A better patch, which performs the functionality of substrfirst
(i.e. copy src followed by dest[start] into dest) without the use
of a temporary buffer follows:

*** util.c.bak  Sat May  7 21:47:15 1994
--- util.c      Thu Feb 16 04:17:07 1995
***************
*** 158,168 ****
  
  void strsubfirst(int start,char *dest, char *src)
  {
!     char tmp[MAX_STRING_LEN];
  
!     strcpy(tmp,&dest[start]);
!     strcpy(dest,src);
!     strcpy(&dest[strlen(src)],tmp);
  }
  
  /*
--- 158,174 ----
  
  void strsubfirst(int start,char *dest, char *src)
  {
!   int src_len, dest_len, i;
  
!   if ((src_len=strlen(src))<start){  /** src "fits" in dest **/
!     for (i=0;dest[i]=src[i];i++);
!     for (i=src_len;dest[i]=dest[i-src_len+start];i++);
!   }
!   else {                             /** src doesn't fit in dest **/
!     for (dest_len=strlen(dest),i=dest_len+src_len-start;i>=src_len;i--)
!       dest[i] = dest[i-src_len+start];
!     for (i=0;i<src_len;i++) dest[i]=src[i];
!   }
  }
  
  /*


Please apply this patch, recompile httpd, kill the current running process
and restart the new httpd.  In the following two days, we will be updating
our FTP server with this new source code and binaries for different systems.  
Thanks for reporting these security holes,

- Carlos.

------------------------------------------------------------------------
Carlos A. Varela (cvarela@uiuc.edu)     U. of Illinois, Urbana-Champaign
NCSA SDG Research Assistant                          CS Graduate Student
http://fiaker.ncsa.uiuc.edu:8080/                      fax:(217)333-5973
------------------------------------------------------------------------