[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Details on the updated namazu packages that are available

In article <3C3CCEFE.6080501@xxxxxxxxxxx>
dotslash@xxxxxxxxxxx writes:

>> Doh! Looks like I slept on this one too long... heres some of my 
>> personal notes on exploiting this issue. Have fun.

Thanks for your report.

>> Here is my research on the above issues:
>> There are several buffer overflows in the QUERY_STRING options
>> Unfortunately the check in namazu.h screws us...

Yes, I had recognized it. So there is a notice about it as the

enum {
    /* Size of general buffers. This MUST be larger than QUERY_MAX */
    BUFSIZE = 1024,        

    QUERY_TOKEN_MAX =  32, /* Max number of tokens in the query. */
    QUERY_MAX       = 256, /* Max length of the query. */

    INDEX_MAX = 64        /* Max number of databases */

.. Oops, it is only QUERY_MAX, not mentioned about
CGI_QUERY_MAX. I'll fix it.

>> In other words unless you have modified namazu then you are not vuln.
>> Now we can exploit this via the command line as a side note ... although 
>> its not suid...
>> [root@linuxppc src]# ./namazu querystring `perl -e 'print "A" x 1024'`
>> Results:
>> References:  [  (can't open the index)  ]
>> No document matching your query.
>> Aborted (core dumped)

CGI program (namazu.cgi) and command-line programm (namazu) is
separated, and command-line program is prohibited to invoke as
CGI. Therefore I think it is not so serious.

At all events, I'll fix it in next release. Thanks.
NOKUBI Takatsugu
E-mail: knok@xxxxxxxxxxxxx
	knok@xxxxxxxxxx / knok@xxxxxxxxxx