OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: AnalogX "SimpleServer:WWW" dot dot bug
From: labsFOUNDSTONE.COM
Date: Tue Jul 25 2000 - 22:45:28 CDT


                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                 AnalogX "SimpleServer:WWW" dot dot bug

----------------------------------------------------------------------
FS Advisory ID: FS-072600-8-ANA

Release Date: July 26, 2000

Product: SimpleServer:WWW

Vendor: AnalogX (http://www.analogx.com)

Vendor Advisory: New patched version 1.07 available

Type: Ability to retrieve any known file from
                        hosting system

Severity: High

Author: Robin Keir(robin.keirfoundstone.com)
                        Stuart McClure (stuart.mcclurefoundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems: All Windows operating systems supported by
                        SimpleServer

Vulnerable versions: SimpleServer:WWW 1.06 (and possibly previous
                        versions)

Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------

Description

        AnalogX SimpleServer:WWW is a simple but effective web server
        designed for the home or small business user. Its main claim
        is ease of use and setup.

        SimpleServer is vulnerable to a "relative directory path"
        attack that allows a remote user to retrieve any known file
        from the file system of the server on which it is hosted.

Details

        In normal use SimpleServer protects against accessing files
        above the directory in which the server is installed. It has
        been proven to correctly deny access when using URLs of the
        following format:

        http://www.victim.com/../file.dat

        However, by substituting the dot characters with their
        equivalent hexadecimal URL encoded format of %2E this
        restriction is removed, giving the attacker full read access
        to any file on the remote system.

Proof of concept

        A HTTP request of the form

        http://www.victim.com/%2E%2E/file.dat

        will succeed in retrieving the file "file.dat" from one
        directory level above the server root directory if it exists.
        Using similar URL requests it has been shown that any known
        file on the system can be retrieved. For example, assuming
        the default installation location of SimpleServer a request
        of the form:

        http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat

        would retrieve the remote users registry file from a Windows
        95/98 machine and this would highly likely contain confidential
        information.

        Another example here shows that it is possible to retrieve the
        log files from the web server directory itself:

        http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/
        SimpleServer/www/server.log

Solution

        Download SimpleServer:www version 1.07 from

        http://www.analogx.com/contents/download/network/sswww.htm

        Prelimiary tests of the fix by Foundstone have confirmed the
        problem is corrected.

Credits

        We would like to thank AnalogX for their prompt reaction to
        this problem and their co-operation in heightening security
        awareness in the security community.

Disclaimer

        THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
        (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
        THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
        GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
        NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
        WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
        DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
        ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
        REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
        ADVISORY IS NOT MODIFIED IN ANY WAY.