#3 Null HTTPd Heap Overflow Vulnerability

[Matthew Murphy]

I've discovered a heap overflow vulnerability in Null
HTTPd that could lead to exploitable memory corruption
in the server process.

An insecure sscanf(3) call in processing the top line of
the request could cause a buffer overflow if the request
method is unusually long:

AAAAAAA[...] / HTTP/1.0

Contents of the user's buffer appear in the output,
among other places. On Win32, I was not able to
exploit this vulnerability, but some systems use MMS
structures that are closer to the buffer (e.g, Red Hat
Linux).