You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ranier Vilela <ra...@cultura.com.br> on 2003/08/31 11:24:04 UTC

Possible security flaw! (Format BUG)

Hello All,
I tested the source code of httpd-2.0.47, with tool pscan (format bug 
scanner) and possible
security flaws is found!
Please, anybody can check if this is real problem of security?

Thanks.

Ranier Vilela
RC Software Ltda.

------------------------------------------------------------------------------------------------------------------------------------------------

[root@desenvolvimento pscan]# ./pscan -vv -w -p wu-ftpd.pscan 
/usr/src/httpd-2.0.47/server/*.c
Scanning /usr/src/httpd-2.0.47/server/buildmark.c ...
Scanning /usr/src/httpd-2.0.47/server/config.c ...
/usr/src/httpd-2.0.47/server/config.c:434 FUNC printf format string with 
1 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1485 FUNC fprintf format string 
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1491 FUNC fprintf format string 
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1497 FUNC fprintf format string 
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1511 FUNC fprintf format string 
with 3 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1894 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1898 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1901 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1904 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1911 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1914 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1917 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1920 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1924 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1926 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1931 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1933 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1938 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1940 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1945 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1947 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1952 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1954 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1959 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1973 FUNC printf format string 
with 2 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1976 FUNC printf format string 
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/config.c:1988 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/config.c:1990 FUNC printf format string 
with 1 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/connection.c ...
Scanning /usr/src/httpd-2.0.47/server/core.c ...
Scanning /usr/src/httpd-2.0.47/server/error_bucket.c ...
Scanning /usr/src/httpd-2.0.47/server/exports.c ...
Scanning /usr/src/httpd-2.0.47/server/gen_test_char.c ...
/usr/src/httpd-2.0.47/server/gen_test_char.c:83 FUNC printf format 
string with 5 parameters: OK
/usr/src/httpd-2.0.47/server/gen_test_char.c:105 FUNC printf Last 
argument is variable or reference: BAD
/usr/src/httpd-2.0.47/server/gen_test_char.c:150 FUNC printf format 
string with 2 parameters: OK
/usr/src/httpd-2.0.47/server/gen_test_char.c:153 FUNC printf Last 
argument is variable or reference: BAD
Scanning /usr/src/httpd-2.0.47/server/listen.c ...
Scanning /usr/src/httpd-2.0.47/server/log.c ...
/usr/src/httpd-2.0.47/server/log.c:559 FUNC syslog format string with 1 
parameters: OK
Scanning /usr/src/httpd-2.0.47/server/main.c ...
/usr/src/httpd-2.0.47/server/main.c:91 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:92 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:93 FUNC printf format string with 2 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:101 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:103 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:107 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:111 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:115 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:119 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:123 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:127 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:131 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:135 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:139 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:141 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:143 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:148 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:152 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:156 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:160 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:164 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:168 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:172 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:176 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:180 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:184 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:188 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:190 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:195 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:199 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:203 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:207 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:212 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:216 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:220 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:224 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:228 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:232 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:236 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:240 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:244 FUNC printf Last argument is 
variable or reference: BAD
/usr/src/httpd-2.0.47/server/main.c:522 FUNC printf format string with 1 
parameters: OK
/usr/src/httpd-2.0.47/server/main.c:523 FUNC printf format string with 1 
parameters: OK
Scanning /usr/src/httpd-2.0.47/server/mpm_common.c ...
/usr/src/httpd-2.0.47/server/mpm_common.c:794 FUNC printf format string 
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/mpm_common.c:801 FUNC printf format string 
with 1 parameters: OK
/usr/src/httpd-2.0.47/server/mpm_common.c:811 FUNC printf Last argument 
is variable or reference: BAD
/usr/src/httpd-2.0.47/server/mpm_common.c:821 FUNC printf Last argument 
is variable or reference: BAD
Scanning /usr/src/httpd-2.0.47/server/protocol.c ...
/usr/src/httpd-2.0.47/server/protocol.c:689 FUNC sscanf format string 
with 3 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/provider.c ...
Scanning /usr/src/httpd-2.0.47/server/request.c ...
Scanning /usr/src/httpd-2.0.47/server/rfc1413.c ...
/usr/src/httpd-2.0.47/server/rfc1413.c:253 FUNC sscanf format string 
with 3 parameters: OK
Scanning /usr/src/httpd-2.0.47/server/scoreboard.c ...
Scanning /usr/src/httpd-2.0.47/server/util.c ...
Scanning /usr/src/httpd-2.0.47/server/util_cfgtree.c ...
Scanning /usr/src/httpd-2.0.47/server/util_charset.c ...
Scanning /usr/src/httpd-2.0.47/server/util_debug.c ...
Scanning /usr/src/httpd-2.0.47/server/util_ebcdic.c ...
Scanning /usr/src/httpd-2.0.47/server/util_filter.c ...
Scanning /usr/src/httpd-2.0.47/server/util_md5.c ...
Scanning /usr/src/httpd-2.0.47/server/util_script.c ...
Scanning /usr/src/httpd-2.0.47/server/util_time.c ...
Scanning /usr/src/httpd-2.0.47/server/util_xml.c ...
Scanning /usr/src/httpd-2.0.47/server/vhost.c ...
Warnings: 0
Total problems identified: 59
[root@desenvolvimento pscan]#

Re: Possible security flaw! (Format BUG)

Posted by Manoj Kasichainula <ma...@io.com>.

On Sun, Aug 31, 2003 at 06:24:04AM -0300, Ranier Vilela wrote:
> Hello All,
> I tested the source code of httpd-2.0.47, with tool pscan (format bug 
> scanner) and possible
> security flaws is found!
> Please, anybody can check if this is real problem of security?

This kind of vulnerability is only exposed when there is a format string
under the control of an unauthorized user.

It looked like all the format strings in your patches were literals and
aren't controlled by users, so they wouldn't be exploitable.