Newsgroups: comp.infosystems.www.providers
Status: ORS

Path: vixen.cso.uiuc.edu!void.ncsa.uiuc.edu!cvarela
From: cvarela@void.ncsa.uiuc.edu (Carlos A. Varela )
Newsgroups: comp.infosystems.www.providers
Subject: Re: Advisory: Unix NCSA httpd Vulnerability (fwd)
Date: 16 Feb 1995 11:17:39 GMT
Organization: University of Illinois at Urbana
Lines: 92
Message-ID: <3hvc8j$j4n@vixen.cso.uiuc.edu>
References: <Pine.3.89.9502141825.A22896-0100000@alife> <3huhl4$l2e@vixen.cso.uiuc.edu>
NNTP-Posting-Host: void.ncsa.uiuc.edu
X-Newsreader: TIN [version 1.2 PL2]

Carlos A. Varela (cvarela@void.ncsa.uiuc.edu) wrote:
: Phantom (marvel@alife.santafe.edu) wrote:
: : _____________________________________________________________________________

: : PROBLEM:       A vulnerability has been discovered in the NCSA WWW server
: :                software (httpd).
: : PLATFORMS:     Unix systems running NCSA httpd version 1.3.
: : DAMAGE:        Remote users may gain unauthorized access.
: : SOLUTION:      Implement workaround as described below.
: : _____________________________________________________________________________

: : VULNERABILITY  This vulnerability, along with an automated exploitation
: : ASSESSMENT:    script, has been announced in public forums on the Internet.
: :                CIAC recommends that sites install the workaround on affected
: :                systems as soon as possible.
: : _____________________________________________________________________________

: : Until official patches are available from NCSA, CIAC recommends the following
: : temporary fix be installed.  In the file httpd.h, change the string length
: : definitions from:

: :       /* The default string lengths */
: :       #define MAX_STRING_LEN 256
: :       #define HUGE_STRING_LEN 8192

: : to:

: :       /* The default string lengths */
: :       #define HUGE_STRING_LEN 8192
: :       #define MAX_STRING_LEN  HUGE_STRING_LEN

: : Then rebuild, install, and restart the new httpd server.

: We have been warned about this security hole in NCSA httpd.  As advised,
: please change the default string lengths in httpd.h, rebuild, and
: restart the server.  This is a temporary solution, we will keep you 
: posted as we find more information about this security hole.  Thanks.

A patch, which performs the functionality of substrfirst
(i.e. copy src followed by dest[start] into dest) without the use
of a temporary buffer follows:

*** util.c.bak  Sat May  7 21:47:15 1994
--- util.c      Thu Feb 16 04:17:07 1995
***************
*** 158,168 ****
  
  void strsubfirst(int start,char *dest, char *src)
  {
!     char tmp[MAX_STRING_LEN];
  
!     strcpy(tmp,&dest[start]);
!     strcpy(dest,src);
!     strcpy(&dest[strlen(src)],tmp);
  }
  
  /*
--- 158,174 ----
  
  void strsubfirst(int start,char *dest, char *src)
  {
!   int src_len, dest_len, i;
  
!   if ((src_len=strlen(src))<start){  /** src "fits" in dest **/
!     for (i=0;dest[i]=src[i];i++);
!     for (i=src_len;dest[i]=dest[i-src_len+start];i++);
!   }
!   else {                             /** src doesn't fit in dest **/
!     for (dest_len=strlen(dest),i=dest_len+src_len-start;i>=src_len;i--)
!       dest[i] = dest[i-src_len+start];
!     for (i=0;i<src_len;i++) dest[i]=src[i];
!   }
  }
  
  /*


Please apply this patch, recompile httpd, kill the current running process
and restart the new httpd.  In the following two days, we will be updating
our FTP server with this new source code and binaries for different systems.  
Thanks for reporting this problem, and please let us know as soon as 
possible if you find additional security holes in NCSA httpd.

- Carlos.

--

------------------------------------------------------------------------
Carlos A. Varela (cvarela@uiuc.edu)     U. of Illinois, Urbana-Champaign
NCSA SDG Research Assistant                          CS Graduate Student
http://fiaker.ncsa.uiuc.edu:8080/                      fax:(217)333-5973
------------------------------------------------------------------------