lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <026401c30854$d210b050$e62d1c41@basement>
Date: Mon, 21 Apr 2003 17:24:46 -0500
From: "Matthew Murphy" <mattmurphy@...rr.com>
To: "Full Disclosure" <full-disclosure@...ts.netsys.com>,
   "SecurITeam News" <news@...uriteam.com>,
   "VulnWatch" <vulnwatch@...nwatch.org>,
   "BugTraq" <bugtraq@...urityfocus.com>
Subject: AN HTTPd Sample Script File Truncation


Product Description

AN HTTPd is a relatively small, powerful web server designed for Windows
systems.  It supports ISAPI, CGI, SSI, and several other powerful
technologies (such as isolated worker processes) usually only seen in
production servers.  More information on AN HTTPd is available at
http://www.st.rim.or.jp/~nakata/

Vulnerability Description

AN HTTPd (1.42h and prior) ships with several sample scripts demonstrating
various interpreters the server is capable of using.  One of these,
"count.pl", is deployed in the "/isapi" virtual directory.  It takes the
query string as part of a file path, which it uses as a page counter.  AN
HTTPd does not check for directory traversals, and also does not prevent
non-numeric data from being used as counters.

Issuing the following request:
http://www.somesite.com/isapi/count.pl?../../../../../../../../../../../../.
./../../../../../../../../../ctr.dll

Will place "ctr.dll" in the root of C: with a "1" as its contents.  This
same trick also works on writable files that already exist.  An effective
patch for this vulnerability is to issue the following request:

http://www.somesite.com/isapi/count.pl?count.pl

This will destroy the vulnerable component, preventing further exploitation.
Be nice, kiddies :-D

Some nastier stuff:

http://www.somesite.com/isapi/count.pl?../../../../../../../../../../../../.
./../../../../../../../../../windows/system32/calc.exe

You get the idea...

Impact

Attackers can overwrite any file that the CGI user can access (this userid
is SYSTEM by default if running as a service, or the user running the binary
if in GUI mode -- usually an administrator).  Contents of the destroyed
files cannot be sufficiently controlled to allow for exploitation in most
cases, as the file is replaced with numeric data.

Solution

Remove this crappy sample script, and write a web counter that uses
centralized configuration.  The exploit shown above will remove this file
from a vulnerable system.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ