Security Advisory 06 – 058 – ImgSvr is vulnerable to a stack overflow
Vulnerability discovery and development:
Portcullis Security Testing Services. Further research was then carried out by Tim Brown and Neil Kettle.
Credit for Discovery:
Tim Brown and Neil Kettle of Portcullis Computer Security Ltd.
All known versions of ImgSvr.
Following the Bugtraq posting “imgsvr dos exploit by n00b” which described a remote Denial of Service of the Windows version of ImgSvr, research was carried out which indicated that the Linux version was also vulnerable to the same attack although, significantly more input was required.
Through further research, it was then identified that the same remote Denial of Service could also be caused by passing a large value to the template parameter as follows:
GET /?template=[large value] HTTP/1.0
In both cases this led to ImgSvr failing within the internal ADA function system__file_io__open. Due to the way the Linux implementation of the GNU ADA compiler works to protect against stack overflows, a secondary stack of $ebp, $eip and $esp is maintained above the primary stack. When our request causes system__file_io__open to fail, an exception is caught by the exception handler which uses the values of the secondary stack in an attempt to handle the exception in a graceful manner. However, because we have smashed through into the $ebp and $eip values on the secondary stack, we can influence further code execution.
An attacker could cause a Denial of Service or execute arbitrary code. In addition, it is believed that variants of this vulnerability may exist in other products. ImgSvr uses AWS, a generic web server implemented in ADA which is likely to have been used in other products. In addition, the flaw in the secondary stack implementation can be attributed to the GNU ADA compiler and is not unique to ImgSvr.
The proof of concept exploit code is available.
Contacted email@example.com and firstname.lastname@example.org
e-mailed – 16th January 2007
e-mailed – 22nd January 2007
e-mailed – 14th February 2007
e-mailed – 15th March 2007