Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More vulnerabilities in FP

From: cyberiad () CYBERUS CA (The Cyberiad)
Date: Wed, 19 Apr 2000 08:08:25 -0400

Hello,

I confirmed the 742-A's caused a page fault in KERNEL32.DLL
at 0167:bff87ede under FP 3.0.2.1105, installed with PWS
under Windows 98 (PWS.EXE Version 4.02.0690). However,
this length did not force A's into the EIP. Instead the stack pointer
is corrupted, now pointing to invalid memory (which caused the page
fault). The relationship of the corrupted stack pointer to the input
overflow data is unclear (its not 0x41414141) so I'll have to do
some more reverse engineering; I did try longer strings with the
same result.

As well, the file existence test listed under Problem#3 works for
files outside of the webroot but on the same volume. For example,
if your webroot is at d:\Inetpub\wwwroot, the request,

http://server/cgi-bin/htimage.exe/test.doc?0,0

will test for the existence of a file d:\test.doc. Note however, that
htimage.exe
checks for the file d:\Inetpub\wwwroot\test.doc first and and then
d:\test.doc.
It does not allow me to test for file existence on other volumes.

Cyberiad

----- Original Message -----
From: Narrow <narrow () HOBBITON ORG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, April 18, 2000 2:40 PM
Subject: More vulnerabilities in FP


[ Reader(s), please Cc: your comments/etc to narrow () hobbiton org ]



----------------------------------------------------------------------------

----


-------[ Legion2000 - Russian Security Team (ADV-150400#1) ]-------
www.legion2000.cc

---- INFORMATION ----
Program Name   : CERN Image Map Dispatcher
Discovered By  : Narrow (narrow () hobbiton org)
---------------------


Problem Description
~~~~~~~~~~~~~~~~~~~
CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with

FrontPage. I found three bugs

in "htimage.exe": 1) Gives us the full path to the root directory 2)

Simple buffer overflow 3) Allow

us to access files.


Problem #1
~~~~~~~~~~
Like I said, the first bug gives us the full path to the root directory. I

tested this vulnerability

against some servers, all where vulnerable!

Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706,

4.0.2.2717, 2.0.1.927, 3.0.2.926,

3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are

vulnerable if we have premission

to execute "htimage.exe" + If "htimage.exe" exist).

To test this vulnerability we need "htimage.exe" in our "cgi-bin"

directory (it's installed by default)

and premission to execute it. That's why only Windows is vulnerable, Unix

based systems can't execute

"*.exe" files.

If we access "htimage.exe" using our favorite web browser like:

http://server/cgi-bin/htimage.exe/linux?0,0

we get this error:

--------------------------------------------------------------------------

----------

Error

Error calling HTImage:

Picture config file not found, tried the following:

     q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
     /linux
--------------------------------------------------------------------------

----------


Now we know that the path to the root directory is

"q:/hidden_directory_because_of_the_script_kiddies/webroot/".


Problem #2
~~~~~~~~~~
Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0"

and "FrontPage-PWS32".

Tested / Vulnerable OS: Windows'95/98
"htimage.exe" buffer overflows if we access it like:

<A HREF="http://server/cgi-bin/htimage.exe/<741">http://server/cgi-bin/htimage.exe/<741</A> A's>?0,0.


--------------------------------------------------------------------------

----------

HTIMAGE caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:

Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
--------------------------------------------------------------------------

----------

<Server still running> + <500 Server Error>

First remote FrontPage exploit?


Problem #3
~~~~~~~~~~
It's not a serious bug. Using "htimage.exe" we can access files on server,

but

we can't read them. Accessing "htimage.exe" like:

http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0

outputs:

--------------------------------------------------------------------------

----------

Error

Error calling HTImage:

HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',

'rectangle', 'circle' or

'polygon' (got an alphanumeric string)
--------------------------------------------------------------------------

----------


NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden

Solution
~~~~~~~~
1) Remove "htimage.exe".
2) Do not use FrontPage, simple enough :)

Comments
~~~~~~~~
Sorry for my bad english, not my mother/father language ;)
Previous By Date Next
Previous By Thread Next

Current thread: