Hi,

Here are some quick notes, in form of a brief advisory, on two issues in
Cherokee Webserver which allows a quick remote root of a server.

Regards,

GOBBLES Security
GOBBLES@hushmail.com
http://www.bugtraq.org

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! ALERT! CHEROKEE WEBSERVER HAS SEVERE SECURITY HOLES! ALERT! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

After an email conversation between rfp (rain.forest.puppy) and a GOBBLES
Lab research, we have learned that there has recently been an outbreak in
fake advisories and trojaned exploits that are being submitted to these
security mailing lists. The moderators are working very hard to sort out
the legitimate advisories from the immature pranks of many, and they all
deserve words of thanks for their hard work. This courtesy however should
not extend to the moderators of the so called full-disclosure mailing
lists that delay the release of information to increase the attention to
their commercial services. GOBBLES Security feels no sympathy for those
moderators while they have to sort through these childish and immature
pranks. This should not be interpreted as encouragement for said actions
against anyone, but rather as encouragement for the hard workers who have
to put up with the same crap. Always remember, full disclosure is a
necessary evil, which makes it one of the few sins that God doesn't frown
upon. Remember, this is the holiday season, and it's important to give...


PRODUCT
*******

Program:
 Cherokee Webserver

Website:
 http://aurora.esi.uem.es/~alo/?action=cherokee


BACKGROUND
**********

After the recent discoveries of multiple remote vulnerabilities in Apache
Server (www.apache.org) by security companies (chiefly NAI.com/horizon),
GOBBLES members have been investigating other http servers to see if they
can outperform the security of Apache Server (yes, we have developed our
own remote exploits for Apache Server and are keeping them quiet for the
time -- go ahead and call us filthy blackhats, we have our own personal
reasons for not disclosing them at this time). We think Apache Server is
a _great_ product; we're just interested in seeing how others line up
against it.

One of the servers we came across is Cherokee Webserver. From the
author's website, I submit the following paste:

                                                       alo's homepage (p1
of 2)

                      Join www.godsmaze.org now ;-)
                                Back to home

   Cherokee
   an extra-light web server
   Cherokee is an extremely fast and tiny web server.

Features

     * Basic HTTP sever
     * FAST and tiny
     * Embedable
     * Runs under a chroot enviroment
     * Supports htdocs path in compilation
     * Can work as a daemon

Benchmark

   Cherokee 0.2.0
   Apache 1.3.22
Requests per second: 5503.58 [#/sec]
Time per request: 9.09 [ms]
Time per request: 0.18 [ms] (concurrent req)
Transfer rate: 1095.36 [Kbytes/sec]

Requests per second: 857.19 [#/sec]
Time per request: 58.33 [ms]
Time per request: 1.17 [ms] (concurrent req)
Transfer rate: 366.91 [Kbytes/sec]

   Executable size: 7.4Kb

   Executable size: 504Kb

   Benchmark "ab" (Apache Benchmark program) executed doing 10.000
   queries and 50 clients concurrently


As you can see, this server brags exceptional speed. The real question
is, however, is it secure?

Our tests suggest it isn't. >:-)


PROBLEMS
********

The first problem is a simple directory traversal bug. No exploit code is
needed to demonstrate this; netcat and Internet Explorer seem to be
sufficient. By adding several instances of /../ to the end of a request,
one is able to traverse the entire filesystem.

Notice, this server brags to run in a "chroot" environment, but by this
test we see something is definately wrong.

The second problem is that it does not drop privilages. Since it needs to
start as root to bind to tcp 80, and does not drop privilages, there is an
obvious problem. Without even doing a source code audit, we immediately
realize the potential and instantaneous remote root comprimise here when
used with the first problem described above; a clever penetrator who is
familiar with various password storage mechanisms on Unix-basd platforms
will know enough to go after files like /etc/passwd|shadow|master.passwd,
then from there it's just a matter of ./john -i to become root.


WORKAROUNDS
***********

GOBBLES Labs highly recommends using a better http server, one that can at
least attempt to brag security. Speed isn't as important as security, so
don't trust any product that only brags speed.

*note from GOBBLES:
  hey hey hey it GOBBLES hehehe all GOBBLES want to say is that he did not
  instruct researchers at GOBBLES Labs to investigate further into this
  and there probably many holes in sourcecode like bufferoverflow and
  format bug strings for easier exploitation but GOBBLES think after
  showing two root hole in product it time to move on and go to next and
  that GOBBLES promise to revisit it after author patch these problems,
  hehe, at least make it chroot! *


GREETS
******


dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,
knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,
blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,
bugtraq (thanks aleph1 and david ahmad for devoting your time to a great
list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin
bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,
manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,
radiohead, george michael, larry wall, beethoven, francis bacon, bruce
willis, bruce schneier, alan turing, john von neumann, donald knuth, michael
abrash, robert sedgewick, richard simmons, government boy, ralph lauren,
kevin mitnick, david koresh, the violent femmes, legions of doom, quentin
tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky,
hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock,
ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer
lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci,
nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo
dolls, savage garden, george bush, john howard, tony blair, ashida kim,
andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi,
deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster,
attrition.org, cliff stoll, bill gates, alan cox, george harrison,
berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru
paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian
crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa
claus, the easter bunny, the christmas tree, hacktech.org, mixter and the
rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the
smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice
crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george
bush senior, george w. bush, his drunken daughters, gary coleman, fat
albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly &
associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p
diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr
goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono,
micheal stipes, clark kent, bruce banner, ssh.com, hacked.cisco.com, thomas
edison, steven king, P80 Systems, gnutella, colin powell, Joakim von Braun,
#openbsd/efnet, jnathan/efnet, debian.org, mr. ed, scooby doo, spud
mckenzie, sam i am, guy who wrote that bible book, george b. thomas junior,
ross l. finney, maurice d. wier, john bobbit, transmeta.com, linus torvalds,
naked supermodel in magazines, d'arcy gretzky, deep purple, shampoos that
kill head lice, kraft.com, george clooney, jonathon swift, plan9 from outer
space, penelope cruz, chuck norris, mandy moore, christina aguilera, drew
barrymore, bjarne stroustrup, psychic friends network, david letterman,
~el8, jennicide, the mentor, kevin spacey, sho kosugi, michael dudikoff,
HERT, anton lavey, daath, stephen hawking, the illuminati, sml@subterrain.net,
spinux, efnet@ROUTE, the movie "dirty dancing", darth maul, liz taylor,
barney rubble, pacman, the fantastic four, Narr0w, angrypackets.com, sinbad,
jim phillips, the movie "pink flamingos" -- wonderful performance ricki lake,
guy who invent drugs, skyper (you promised we be Prophile not noise, but we
love you anyways), all the ninjas, charlie root for all he emails, wyatt erp,
nmrc.org, paul albitz, cricket liu, kurt kerns, #!/bin/zsh, harry houdini,
all security.is psychologists (hehe), guy anonymous (wrote book Maximum Linux
Security on how to use free software, hehe), and all our friends and family.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]