CVE-2001-0820

A remote attacker sends a crafted HTTP GET request with an overly long URL path (e.g., 157 'A' characters) to the ghttpd daemon [ref_id=1]. The `serveconnection` function copies this URL into a 255-byte stack buffer using `strcpy`/`strcat`, causing a stack-based buffer overflow [CWE-121]. The attacker can overwrite the saved return address and redirect execution to shellcode embedded in the request, achieving arbitrary code execution as the 'nobody' user [ref_id=1][ref_id=2]. No authentication is required; the only precondition is network access to the HTTP port (typically 80).

The vulnerable code resides in `protocol.c` and `util.c`. In `protocol.c`, the function `serveconnection` declares a fixed-size buffer `char filename[255]` and then uses `strcpy` and `strcat` to copy attacker-controlled URL data into it without bounds checking [ref_id=1]. In `util.c`, the `Log` function uses `vsprintf` with a fixed temporary buffer, allowing an attacker to overflow it via long format arguments [ref_id=2].

The patch replaces `strcat(filename, ptr)` with `strncat(filename, ptr, sizeof(filename)-tno)`, where `tno` is computed as `strlen(filename)` before the concatenation [ref_id=1]. This bounds the copy to the remaining space in the fixed-size buffer, preventing the overflow. The same change is applied to both vulnerable `strcat` calls in `serveconnection` (lines 107 and 143 of `protocol.c`). No patch for the `vsprintf` overflow in `util.c` is provided in the advisory, though the advisory notes the author was contacted but did not respond [ref_id=2].

The bundle includes two public exploit codes. From [ref_id=1]: send `GET /` followed by 157 bytes (NOP sled + shellcode + return address) to port 80. From [ref_id=2]: send `GET /` followed by a 165-byte buffer (NOP sled + shellcode + return address) to port 80. Both exploits bind a shell or execute `/bin/sh` under the 'nobody' user. Full source code for both exploits is reproduced in the reference write-ups.