Challenge Problem #3

Analyze the Buggy Web Server

The Buggy Web Server (BWS) is the most vulnerable piece of software you will ever come across. It was designed to be. Your job is to analyze it.

It compiles on RedHat 9, Mac OS X, and a few others. (I used RedHat.) To install, run './configure', followed by 'make' and 'make install'. You won't get all the features unless you run the server as root, but you can get some good stuff running as a normal user.

You will want to start out by reading the source code; there isn't that much to read. Then get it installed and running and test its various features. Your job is to find security problems and write exploits. There are a lot of security problems with this thing. Some we have talked about in class, others not.

You should also write documentation for the server. Briefly describe in your write-up what it does, what commands it accepts, etc.

What to hand in: Documentation for the BWS; what it does, how it works, what features it has. A numbered list of vulnerabilities along with an exploit for it. (If you don't want to write the exploit, just describe how the exploit would work; this is worth fewer points than implementing the exploit, however.) Along with each vulnerability, please describe how you found the problem and how you would repair it.

Please do not just glance over the code and say, "I think this might be a bug" and hand that in without doing any of the documenting I mentioned above. Take on this project only if you're prepared to expend significant effort and do a thorough job.

Important Notes: I will NOT help you with this project. If you decide to take on this challenge problem, you must be independent and figure out out to solve problems you encounter on your own. I'm sorry to do this, but if I do not, I simply won't be able to keep up with the rest of my job responsibilities.

It is not recommended that you tackle this project without significant networking experience. The BWS is written with virtually no comments and you'll be at quite a disadvantage if you're trying to learn network programming from scratch.

For this one challenge problem, you are allowed to work in teams. In fact, I encourage it. All team members should put their name to the report when it is done.

Extra Credit Points: 20