CVE-2016-9564 - Stack-Based Buffer Overflow in Boa 0.92r

Overview

A stack-based buffer overflow exists in send_redirect() function within Boa web server v0.92r, allowing remote attackers to create a Denial of Service attack via a HTTP GET request.

The CVE is located at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9564.

Boa 0.92r is available from http://www.boa.org/0.92/.

Other versions are available from https://github.com/gpg/boa/releases.


Analysis

The vulnerability exists in response.c, on line 105, where url is being saved into buffer. A buffer overflow can occur since buffer has a size of 527 bytes (MAX_PATH_LENGTH, which is #define'd to be a value of 512, plus 15). The 15 bytes is for "Location: " on the left hand side of %s (url), and "\r\n\r\n" on the right hand side, which have string lengths of 11 and 4 characters respectively.

When compiled buffer is allocated at ebp - 0x217, sitting 535 bytes away from the saved ebp. Before getting to this function Boa prepends url with the protocol, hostname, colon and port (e.g. "http://hostname/") within init_get() function in get.c.

A GET request specifying a file with a long name using only forward slashes and dots can be formed and will overwrite the stack values. The minimum length of the file being requested can be >= 512 - the length of the prepended protocol, hostname and port + 4 bytes for saved ebp + 4 bytes for saved return address. For example, "GET "/."*600 HTTP/1.1\r\n\r\n".

Fixed Version

This vulnerability ceases to exist from version 0.93.14 onwards as the developers removed sprintf() calls wherever possible (http://www.boa.org/CHANGES).

Code Snippets