[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030630014314.4d561031.fozzy@dmpfrance.com>
Date: Mon, 30 Jun 2003 01:43:14 +0200
From: Fozzy <fozzy@...france.com>
To: bugtraq@...urityfocus.com
Subject: Aprelium Abyss webserver X1 arbitrary code execution and header
injection
--[ Description ]--
Abyss Web Server is a free, closed-source, personal web server
for Windows and Linux operating systems.
Homepage : http://www.aprelium.com
The Hackademy Audit team has found two remote security holes in
Abyss Webserver X1, allowing arbitrary code execution and header
injection.
--[ Details ]--
1/ Remotely exploitable heap buffer overflow.
---------------------------------------------
A buffer of length 0x800 is allocated on the heap. An unchecked call to
strcpy() can overflow this buffer with a string of almost arbitrary
length and content which is given by a malicious attacker.
The request leading to the overflow is the following. The important part
is the two characters ":\" at the end of the requested URL :
GET /AAAAAA[...]AAAA:\ HTTP/1.0
Impact
------
Arbitrary code can be executed on the machine running Abyss
Webserver X1 with the priviledges of the user running the server.
This issue is not theoretical : we wrote a functional exploit, without
need for offset guessing or brute forcing, which works on Windows 2000
and XP (any SP).
2/ Header injection vulnerability.
----------------------------------
With the same type of request a 302 HTTP code is returned by Abyss X1.
The Location header sent by the server contains the URL initially
requested, but with %xx decoded to ASCII values. Embedding %0D, %0A, and
%20 codes into the URL is allowed, meaning HTTP headers can be added.
Impact
------
This can lead to XSS issues, setting arbitrary cookies, etc.
--[ Vulnerable/Patched Versions ]--
Version 1.1.2 (and probably lower versions) are vulnerable.
Version 1.1.6 beta gives Special Thanks to our bug reporting, so it should be
fixed.
it is unclear whether version 1.1.4 has all these bugs or only one of them. Although
the heap overflow can't be triggered by the method we mention here, Aprelium did
not confirmed that is was fixed in this version, and we did not investigate the issue
further on this version.
--[ Greetings ]--
Many thanks to Daniel Dupard for running a Win2k hacking contest with
Abyss Webserver. I completed the first part of the challenge (executing
arbitrary code on the machine) by writing an exploit for the heap overflow
vulnerability.
-- Fozzy
The Hackademy School, Journal & Audit
http://www.thehackademy.net/
Powered by blists - more mailing lists