Portcullis Security Advisory 06-058 Vulnerable System: ImgSvr. Vulnerability Title: The ImgSvr is vulnerable to a stack overflow. Vulnerability discovery and development: Portcullis Security Testing Services. Further research was then carried out by Tim Brown and Neil Kettle. Credit for Discovery: Tim Brown and Neil Kettle of Portcullis Computer Security Ltd. Affected systems: All known versions of ImgSvr. Details: Following the Bugtraq posting "imgsvr dos exploit by n00b" which described a remote Denial of Service of the Windows version of ImgSvr, research was carried out which indicated that the Linux version was also vulnerable to the same attack although, significantly more input was required. Through further research, it was then identified that the same remote Denial of Service could also be caused by passing a large value to the template parameter as follows: GET /?template= HTTP/1.0 In both cases this led to ImgSvr failing within the internal ADA function system__file_io__open. Due to the way the Linux implementation of the GNU ADA compiler works to protect against stack overflows, a secondary stack of $ebp, $eip and $esp is maintained above the primary stack. When our request causes system__file_io__open to fail, an exception is caught by the exception handler which uses the values of the secondary stack in an attempt to handle the exception in a graceful manner. However, because we have smashed through into the $ebp and $eip values on the secondary stack, we can influence further code execution. Impact: An attacker could cause a Denial of Service or execute arbitrary code. In addition, it is believed that variants of this vulnerability may exist in other products. ImgSvr uses AWS, a generic web server implemented in ADA which is likely to have been used in other products. In addition, the flaw in the secondary stack implementation can be attributed to the GNU ADA compiler and is not unique to ImgSvr. Exploit: The proof of concept exploit code is available. Vendor Status: Contacted frett27@userssourceforge.net and p.orbry@wanadoo.fr e-mailed - 16th January 2007 e-mailed - 22nd January 2007 e-mailed - 14th February 2007 e-mailed - 15th March 2007 Copyright: Copyright © Portcullis Computer Security Limited 2005, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.