Patroklos Argyroudis
CoreHTTP web server off-by-one buffer overflow vulnerability
- ,corehttp,research,vulnerability
- advisories
- buffer
- overflow
A flaw in the CoreHTTP web server (versions 0.5.3.1 and earlier) allows remote attackers to trigger an off‑by‑one stack buffer overflow during parsing of malformed HTTP method names or URIs. Because the server's sscanf() call writes a full 256 bytes into 256‑byte buffers without ensuring NULL‑termination, crafted requests can corrupt stack memory, causing denial of service and potentially enabling remote code execution with the privileges of the server process. The issue is tracked as CVE‑2009‑3586. An unofficial patch exists, as no official fix was released by the vendor.
We have discovered a remotely exploitable "improper input validation" vulnerability in the CoreHTTP web server that leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.
Details
CoreHTTP is a minimalist web server focusing on speed and size. More information about its features can be found here.
CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46:
45: sscanf(parentsprock->buffer,
46: "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);The buffers req and url are declared to be of size 256 bytes (PATHSIZE) and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers without NULL terminating them.
Note that this is not vulnerability CVE-2007-4060 in which the same sscanf() call contained no bounds check at all.
This vulnerability can lead to denial of service attacks against the CoreHTTP web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server. We have developed a proof-of-concept exploit to demonstrate the vulnerability.
To address the problem we propose the following unofficial patch (download it from here), since CoreHTTP's author has not released an official fix yet:
--- corehttp/src/common.h.orig 2009-12-01 09:29:18.000000000 +0200
+++ corehttp/src/common.h 2009-12-01 09:31:47.000000000 +0200
@@ -36,7 +36,7 @@
#define BUFSIZE 2048
#define BUFSIZE_S "2048"
#define PATHSIZE 256
-#define PATHSIZE_S "256"
+#define PATHSIZE_S "255"
#define SETSIZE 16
#ifndef GLOBALS_DEFINED