Title: Rosiello Security Sphiro HTTPD Remote Heap Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Sphiro HTTPD is an HTTP daemon server designed to run on Unix and Unix variant operating systems.
It has been reported that Sphiro HTTPD is prone to a remote heap based buffer overflow vulnerability. This issue is due to a failure of the application to properly verify buffer boundaries before storing input in fixed buffers.
The problem is reported to present itself when abnormally formatted HTTP GET requests are sent to the affected service. Due to a failure to properly process the text based request, it is possible for an attacker to fool the affected daemon into reading the size of a request as zero, while the actual request can be of arbitrary length. It is reported that adding an extra space character after the GET flag of a request can trigger this condition.
Immediate consequences of this attack may cause the affected daemon to crash, denying service to legitimate users. Furthermore, due to the nature this issue, arbitrary code execution may be possible. This would occur in the context running daemon process.
Affected Products:
- Rosiello Security Sphiro HTTPD 0.1.0B
References:
- Rosiello Security: Vendor Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
