[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Possible Vulnerability in httpd.c
From:       Raphael de Carvalho Muniz <raphael () copin ! ufcg ! edu ! br>
Date:       2016-11-21 14:53:00
Message-ID: CAKGQ7WnaT7V1MyVOSY7-v5iqETU2d5UWbWPL1X1EBwPCbsgPew () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Dear Developers,

I am a Computer Science Ph.D student at the Federal University of Campina
Grande - Brazil, advised by Rohit Gheyi. We are investigating weakness in
source code applied to configurable systems to identify if they may be a
vulnerability of the system.

We found in the commit history of BusyBox (commit 02affb4) the presence the
following code in the httpd.c file (Line 1006-1014):

#if ENABLE_FEATURE_HTTPD_RANGES
     if (responseNum == HTTP_PARTIAL_CONTENT) {
         len += sprintf(iobuf + len, "Content-Range: bytes
%"OFF_FMT"u-%"OFF_FMT"u/%"OFF_FMT"u\r\n",
                               range_start,
                               range_end,
                               file_size);
         file_size = range_end - range_start + 1;
}
#endif

We understand that the resulting program may have vulnerabilities when the
macro "#if ENABLE_FEATURE_HTTPD_RANGES" is enabled, by the fact of
utilization that sprintf() function. Second the CWE Project, is the
classified by CWE-134, where the use this function that accepts a format
string as an argument, but the format string can originate from an external
source.

Still second the CWE Project, this vulnerability can cause consequences
related a with confidentiality, integrity and availability, like allow for
information disclosure which can severely simplify exploitation of the
program and the execution of arbitrary code.

We'd very grateful if you could say to us if are you understand this how a
vulnerability and if you have a motivation to correct.

Thanks and Regards,
-- 
Raphael de Carvalho Muniz, M.Sc.
Lattes: http://lattes.cnpq.br/1454914002384966
e-Mail: raphaeldecm@gmail.com / raphael@copin.ufcg.edu.br
Fone: +55 84 98801 1218

[Attachment #5 (text/html)]

<div dir="ltr">	 	 	<p style="margin-bottom:0cm;line-height:100%">Dear \
Developers,</p> <p style="margin-bottom:0cm;line-height:100%">I <span \
lang="en-US">am</span> a Computer Science Ph.D student at the Federal University of \
Campina Grande - Brazil, advised by Rohit Gheyi. We are investigating weakness in \
source code applied to configurable systems to identify if they may be a \
vulnerability of the system.<br></p> <p style="margin-bottom:0cm;line-height:100%">We \
found in the commit history of BusyBox (commit 02affb4) the  presence the following \
code in the httpd.c file (Line 1006-1014):<br></p><p \
style="margin-bottom:0cm;line-height:100%">#if ENABLE_FEATURE_HTTPD_RANGES<br></p>    \
if (responseNum == HTTP_PARTIAL_CONTENT) {<br>              len += sprintf(iobuf + \
len, &quot;Content-Range: bytes \
%&quot;OFF_FMT&quot;u-%&quot;OFF_FMT&quot;u/%&quot;OFF_FMT&quot;u\r\n&quot;,<br>      \
range_start,<br>                                               range_end,<br>         \
file_size);<br>              file_size = range_end - range_start + \
1;<br>}<br>#endif<p style="margin-bottom:0cm;line-height:100%">We understand that the \
resulting program may have vulnerabilities when the macro &quot;#if \
ENABLE_FEATURE_HTTPD_RANGES&quot; is enabled, by the fact of utilization that \
sprintf() function. Second the CWE Project, is the classified by CWE-134, where the \
use this function that accepts a format string as an argument, but the format string \
can originate from an external source.<br></p> <p>Still second the CWE Project, this \
vulnerability can cause consequences related a with confidentiality, integrity and \
availability, like allow for information disclosure which can severely simplify \
exploitation of the program and the execution of arbitrary code.</p><p>We&#39;d very \
grateful if you could say to us if are you understand this how a vulnerability and if \
you have a motivation to correct.</p><p>Thanks and Regards,</p><div>--  \
<br></div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div>Raphael de Carvalho Muniz, M.Sc.</div><div>Lattes:  <a \
href="http://lattes.cnpq.br/1454914002384966" \
target="_blank">http://lattes.cnpq.br/1454914002384966</a><br \
style="font-size:12.8px"><span style="font-size:12.8px">e-Mail: <a \
href="mailto:raphaeldecm@gmail.com" target="_blank">raphaeldecm@gmail.com</a> / <a \
href="mailto:raphael@copin.ufcg.edu.br" \
target="_blank">raphael@copin.ufcg.edu.br</a></span></div><div>Fone: +55 84 98801 \
1218</div></div></div></div></div></div></div> </div>



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic