Bug 64408 (CVE-2004-1261)

Summary: VUL-0: CVE-2004-1261: buffer overflow in asp2php
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Michal Čihař <mcihar>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1261: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-20 09:05:17 UTC 
We received the following report.
The issue is public.

The attack scenario for this one sounds rather constructed. I think
we can continue the current php update without fix for this.

From djb@cr.yp.to Wed Dec 15 14:21:44 2004
Date: 15 Dec 2004 08:21:54 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, mike@mikekohn.net
Subject: [remote] [control] asp2php 0.76.23 preparse() overflows token
    buffer; preparse() overflows temp buffer

Qiao Zhang, a student in my Fall 2004 UNIX Security Holes course, has
discovered two remotely exploitable security holes in asp2php. I'm
publishing this notice, but all the discovery credits should be assigned
to Zhang.

You are at risk if you take an ASP script from an email message (or a
web page or any other source that could be controlled by an attacker)
and feed that script through asp2php. (The asp2php documentation does
not tell users to avoid taking input from the network.) Whoever provides
that script then has complete control over your account: she can read
and modify your files, watch the programs you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, type

   wget http://downloads.mikekohn.net/asp2php/asp2php-0.76.23.tar.gz
   gunzip < asp2php-0.76.23.tar.gz | tar -xf -
   cd asp2php-0.76.23
   make

to download and compile the asp2php program, version 0.76.23 (current).
Then save the file 29-1.asp attached to this message, and type

   ./asp2php 29-1.asp

with the unauthorized result that a file named EXPLOITED is created in
the current directory. 29-2.asp is similar but uses a separate buffer
overflow. (I tested these with a 541-byte environment, as reported by
printenv | wc -c.)

Both buffer overflows can be blamed on gettoken(), which has a
fundamentally broken gets()-style API. The preparse() function calls
gettoken() to read data into a 1024-byte token[] array, and to read data
into a 1024-byte temp[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/PLAIN (charset: unknown-8bit)  32 lines. ]
    [ Unable to print this part. ]


    [ Part 3, Text/PLAIN (charset: unknown-8bit)  45 lines. ]
    [ Unable to print this part. ]
Comment 1 Marcus Meissner 2004-12-20 22:41:44 UTC 
since you have to run asp2php by hand (we currently do not do that 
automatically at this time), this is a minor issue. 
 
we can fix it with the next php4 update.
Comment 2 Marcus Meissner 2004-12-21 22:43:10 UTC 
======================================================                           
Candidate: CAN-2004-1261                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1261                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/asp2php.txt                 
                                                                                 
Multiple buffer overflows in the preparse function in asp2php 0.76.23            
allow remote attackers to execute arbitrary code via crafted ASP                 
scripts.
Comment 3 Michal Čihař 2005-01-24 20:38:48 UTC 
Okay, I will try to not forget on this in next php update.
Comment 4 Michal Čihař 2005-02-04 21:44:39 UTC 
Have you seen patch for this issue?
Comment 5 Michal Čihař 2005-02-08 02:42:51 UTC 
As there seems to be another report for php - bug# 50565, so I'd like to see
patch for this so that I can work on this.
Comment 6 Ludwig Nussel 2005-02-08 17:06:43 UTC 
There was no patch. I just looked at the code, this thing is broken beyond 
repair. It uses strcpy/strcat/sprintf without any checks all over the place. 
Is asp2php executed automatically in any configuration or does the user always 
need to manually invoke it? If the latter is the case I'd say forgit it in old 
distros and drop it in STABLE.
Comment 7 Michal Čihař 2005-02-08 19:52:47 UTC 
User needs to start it manually.
Comment 8 Marcus Meissner 2005-02-08 21:22:01 UTC 
i suggest: 
 
no need to fix this script. 
 
please consider dropping it in STABLE / for 9.3.
Comment 9 Michal Čihař 2005-02-08 21:43:59 UTC 
I filed drop request.
Comment 10 Thomas Biege 2009-10-13 20:07:34 UTC 
CVE-2004-1261: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)