Overflow in Alibaba Web Server 2.0 (VD#4)

[BlueBoar () THIEVCO COM (Blue Boar)]

-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists.  This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev.  Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.

To subscribe to vuln-dev, send an e-mail to listserv () securityfocus com,
with the word SUBSCRIBE in the body of the message.

A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------

There have been some other interesting problems in relation to the Alibaba
web server mentioned on Bugtraq already.  This was brought up earlier on
vuln-dev, and there is also some information about what Alibaba is, and how
widely it is used.

From:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-22&msg=199910281536.RAA18018 () mail1 cityweb 
de

To:          Exploit-Dev
Subject:     Possibly exploitable overflow in Alibaba 2.0
Date:        Thu Oct 28 1999 10:57:43
Author:      Thomas Dullien
Message-ID:  <199910281536.RAA18018 () mail1 cityweb de>

Hello all together,

Tried a little freeware webserver named Alibaba 2.0 today
and found an exploitable overflow. I telnetted to 127.0.0.1:80
and crashed it using
POST [enter 1028 'x'] / HTTP/1.0

scanf("%s %s %s", szName, szFile, szSomething);

where szFile is a local variable of 0x400 (=1024) bytes
on the stack directly above the return address.
Coding an exploit for this is going to be a little tricky as
it mustn't have any 0x20, 0x00, 0x61-0x7A in it since
these bytes are changes by the foregoing function
that converts everything into uppercase.

I contacted the authors but they stated since its freeware
there will be no support to it :)
If someone wants to code a full exploit, go ahead :)

--------------------------------------------------

As we've seen from other Bugtraq posts, this product seems fully broken.

Here's more info.

From:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-29&msg=381B084A.E37193CE () thievco com

To:           Exploit-Dev
Subject:      Re: Possibly exploitable overflow in Alibaba 2.0
Date:         Sat Oct 30 1999 07:01:30
Author:       Blue Boar
Message-ID:   <381B084A.E37193CE () thievco com>

http://www.csm-usa.com/product/alibaba/

"Connect With Confidence !!"

http://www.netcraft.com/whats/?host=www.csm-usa.com%3A80

(Says it's running Alibaba 3.0)

Links to sites running Alibaba:

http://www.netcraft.com/survey/Reports/9909/byserver/Alibaba/index.html

I have a real problem with a company releasing a (potentially) insecure
product, and then crying "freeware" and refusing to release a fix,
source, etc...

------------------------------------------

Looking back, minus the rest of the thread, my message is a bit terse.
Alibaba is a web server that runs on Windows 9x and NT.  The current
version that I can see on their web site is 2.0, though you'll notice they
themselves run something that identifies itself as 3.0.  Netcraft will give
you a list of web servers running Alibaba.  In .com and .net, there were
just over 500.

This is a closed-source Windows program.  You can't fix it, and they won't
fix it.

I can't help but be reminded of a Far Side cartoon I like.  It shows
various dangerous animals, such as a blowfish, and a rattlesnake.  In one
corner of the cartoon is a guy wearing a boot on his head, with an
inner-tube around his middle, holding a rocket launcher.  The caption is
"Nature's way of saying 'don't touch'".

                                                BB

P.S.  One of the list members suggested "attacking" vulnerable sites with a
patch if one can be hacked together.  I certainly can't condone that, but
it makes me chuckle.