SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Abyss Web Server Vendors:   Aprelium Technologies
Abyss Web Server Access Control Bug Lets Remote Users Gain Administrative Control of the Web Server Application
SecurityTracker Alert ID:  1005126
SecurityTracker URL:  http://securitytracker.com/id/1005126
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 23 2002
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.03 patch 2, and prior versions
Description:   An access control vulnerability was reported in Aprelium's Abyss web server. A remote user can administer the web server. Also, a remote user can view files on the system via a variation of a previously reported directory traversal flaw.

It is reported that a remote user can submit HTTP POST requests to the administrative console on port 9999 to modify the files in the CHL directory. This method can apparently be used to modify every parameter on the server. No authentication is required.

A remote user can start or stop the server, change the administrator username and password, and change various configuration settings.

A demonstration exploit HTML page is provided at:

http://www.pivx.com/luigi/poc/abyss-adm.zip

A remote user can also view any files on the system that are readable by the web server by using a URL containing the '%5c' string.

A demonstration exploit URL is provided:

http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

According to the report, directory listings can be viewed, but only if the AutoIndex option enabled (this is the default configuration). A demonstration exploit URL for a Windows-based installation is provided:

http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt/

On Linux/UNIX platforms, a remote user can view some files in the cgi-bin and chl directories, but cannot otherwise traverse the directory. Some demonstration exploit URLs are provided:

http://host/%2f%2e%2e%2f
http://host/%2f%2e%2e%2fcgi-bin/

Finally, it is reported that a remote user can add certain characters to the end of a URL (such as the '+' character) to view certain files on the system. This apparently only applies to Windows-based installations. Some demonstration exploit examples are provided:

http://host:9999/srvstatus.chl+
http://host:9999/consport.chl+
http://host:9999/conspass.chl+
http://host:9999/general.chl+

Impact:   A remote user can administer the web server. A remote user can view files on the system with the privileges of the web server.
Solution:   The vendor has issued a fixed version (1.0.3 patch 3), available at:

http://www.aprelium.com

For more information, see the Vendor URL.

Vendor URL:  www.aprelium.com/news/patch1033.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Abyss 1.0.3 directory traversal and administration bugs


######################################################################

Auriemma Luigi, PivX security advisory 

Application: Abyss webserver (http://www.aprelium.com)
Version:     1.0.3 (patch 2) and previous, both Windows and Linux,
             (patch 2) fix the administration bug
Bug:         Directory traversal and administration bugs
Risk (high): An attacker can view every file in the remote system and
             he can administrate the Abyss server without any login.
             Read Bug section for have more details
Author:      Auriemma Luigi, Security Researcher, PivX Solutions, LLC
             e-mail: aluigi@pivx.com

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

______________________________________________________________________
----------------------------------------------------------------------

1) Introduction


Abyss is a free webserver that runs on Win32 and Linux x86 systems.
It is tiny and it has some interesting features like for example the
use of a "console" for administrate the server remotely.
Unfortunately the usage of this console is the most dangerous thing in
this webserver because an attacker can do what he want without any
password.
This bug was found by Aprelium in June and has been fixed in the
patch 2 release. However a misunderstanding with CNET have limited the
diffusion of this version.

The other bug is another dangerous problem: directory traversal bug.
The last problem is a minor vulnerability in the management of files
with some characters added at the end.

______________________________________________________________________
----------------------------------------------------------------------

2) Bug


A] Directory traversal bug
==========================

The first problem I want to show, is about viewing all the files in
the systems where Abyss 1.0.3 (patch 2) and previous run.

This problem is caused by the character '\' (%5c) that is not checked
as bad character, so the server follow the path in the URI that the
attacker give until it reach the file requested.

The following are two simple examples for see the winnt\win.ini file:

http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"

This last is an HTTP request that can be sent with telnet because
some browsers can modify the "\.." chars.

It is also possible to view the index of the directories (but not the
root) ONLY if the AutoIndex option is not disabled (default is
enable).
This is for view winnt:
http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt/

In Linux fortunally the attacker cannot go down to the path, but he
can go only in the Abyss folder and see SOME files like, for example,
the files in cgi-bin and chl directory but NOT the abyss.conf or the
logs (this is the same also on Windows).
Two simple example are:

http://host/%2f%2e%2e%2f
http://host/%2f%2e%2e%2fcgi-bin/

and we will see the index of the Abyss and cgi-bin folder.


B] Administration bug (fixed in patch 2 release)
================================================

The console used in Abyss is the same web server that is binded to
port 9999 (another default port can be the 81) and look to the files
in the CHL directory of the server.
In this directory there are all the files to manage the server
remotely so the administrator can change the parameters without
modifing the abyss.conf file manually.

This bug is really incredible... an attacker without login can
reconfigure every parameter of the server.
Some examples of what the attacker can do are:
- Stop, Run and Halt the server
- change username and password of the administrator
- change all the advanced parameters of the server (log files, number
  of requests, etc...)
- all the thing that the real administrator can do

The only limit for the attacker is that he cannot know the current
settings of the server, but I think that it is not so important
because he can redefine all!
Remember that the attacker can redifine the administrator login and
he will be the real administrator.

The proof-of-concept can be downloaded from my userpage:
http://www.pivx.com/luigi/poc/abyss-adm.zip


C] Characters adding
====================

This is a problem that is diffused on almost all the Windows
applications and not only.

The problem is that adding some characters (in this case the '+') the
attacker can read "for example" the .chl files bypassing the login.
Not a bad bug, but is better to fix bugs like this before they can be
used for more dangerous exploitations.

Simple examples are:

http://host:9999/srvstatus.chl+
http://host:9999/consport.chl+
http://host:9999/conspass.chl+
http://host:9999/general.chl+

______________________________________________________________________
----------------------------------------------------------------------

3) The Code


A] Example of the directory traversal bug on Win:

http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"

Abyss index on Linux:

http://host/%2f%2e%2e%2f


B] For the administration bug watch the html file in my userpage
http://www.pivx.com/luigi/poc/abyss-adm.zip

It can be used to test the server that run on the same machine, at
the address 127.0.0.1.
If you want to test other machines simply replace the string
"http://127.0.0.1:9999" at line 4 of the html with the host and the
port you want.


C] Add the '+' char at the end of the file requested.

______________________________________________________________________
----------------------------------------------------------------------

4) Fix


Abyss 1.0.3 (patch 3) from the Aprelium web-site:
http://www.aprelium.com

or directly the updated executable:
http://www.aprelium.com/news/patch1033.html

______________________________________________________________________
----------------------------------------------------------------------

5) Philosophy


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!

______________________________________________________________________
----------------------------------------------------------------------

About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

For more information go to http://www.PivX.com

 

Any type of feedback is really welcome!

Byez



-- 
PivX Security Researcher

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC