Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
#######################################################################
Auriemma Luigi, PivX security advisory
Application: Savant webserver (http://savant.sourceforge.net)
Version: 3.1 and possibly previous versions
Bug: Buffer overflow in cgitest, crash with negative
Content-Length and bad chars usage
Risk (medium): Remote DoS and authorization bypassing (the risk is
between medium and high)
Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
e-mail: aluigi
pivx.com
web: http://www.pivx.com/luigi
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
_______________________________________________________________________
1) Introduction
===============
Savant webserver is an OpenSource webserver that runs on Win32.
It's a very interesting server but has some security issues a lot being
old unpatched bugs.
One of these, for example, is a directory traversal bug that has been
founded on 2.1 version but seems to still exist on this 3.1 (over a
year ago!).
Unfortunally I have contacted the vendor two times from August the
23rd but I have not yet received a response.
_______________________________________________________________________
2) Bug
======
A] Cgitest.exe overflow
-----------------------
The cgitest.exe program that is inserted by default in the cgi-bin
directory is vulnerable to a buffer-overflow.
The limit of acceptable characters is 128 so we need to send only 136
bytes for overwrite EBP and EIP registers and crash the server.
I don't think is possible to write a good shellcode in this case
because the bytes that go into the stack are few, however an
interesting and simple thing is to point the EIP register to
KERNEL32.DLL->ReadFile, because the server will crash totally and the
administrator will get a nice blue screen (tested on Win9x).
During the blue screen the port 80 will stay opened but the server will
not answers to client requests.
B] Content-Length crash
-----------------------
A nice DoS is the negative Content-Length value. The value that Savant
waits from the user is an integer and when the attacker sends a
negative number the server will crash.
However until the Windows error message is not acknowledged the server
will continue to run without problems.
C] Authorization bypassing
--------------------------
Uhmm the usual Win32 API problem is again our best friend and this time
it gives us access to all of the user folders in Savant server.
So adding the chars ' ' (%20) and '.' (%2e) at the end of the filename
requested we will gain full access to the password protected folders.
The other good news is that the limit of the network class is
authorized to access to the folder can be bypassed without problems
with this method (so if the admin has a set class D only access, the
attacker with any IP have full access without respecting this limit).
Note: if we want to use the space (' ') char, we must add also the '/'
char after it.
_______________________________________________________________________
3) The Code
===========
A] Cgitest.exe overflow
-----------------------
Check my web page for a tiny example that causes a blue screen and
server crash (so crash all the server and not only the single
connection). I have simply written the EIP 00409430 (that point to
KERNEL32.DLL->ReadFile but you can use KERNEL32.DLL->WriteFile too) for
having a bad DoS that crashes the server and give blue screen.
Usage: nc <host> 80 -v -v -n < savant-cgitest.txt
http://www.pivx.com/luigi/poc/savant-cgitest.txt
B] Content-Length crash
-----------------------
GET / HTTP/1.0
Content-Length: -1
C] Authorization bypassing
--------------------------
http://host/password_folder.
"GET /password_folder / HTTP/1.0" <-- use with telnet
http://host/password_folder%2e
http://host/password_folder%20
_______________________________________________________________________
4) Fix
======
No fix available.
Check the Savant website for updates:
http://savant.sourceforge.net
_______________________________________________________________________
5) Philosophy
=============
I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of a
bug, someone can learn a bit of creative programming (I have learned a
bit of interesting C from the source code of some published exploits
under this policy) and it's useful for all the people that are hopeful
in this type of disclosure.
No secrets!
_______________________________________________________________________
About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.
For more information go to http://www.PivX.com
Any type of feedback is really welcome!
BYEZ
---
Pivx Security Researcher
neohapsis.com