SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   AN HTTP Server Vendors:   nakata@st.rim.or.jp
AN HTTP Server 'cmdIS.DLL' Buffer Overflow Lets Local Users Execute Arbitrary Code and Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013666
SecurityTracker URL:  http://securitytracker.com/id/1013666
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 8 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, Modification of user information, User access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.42n
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in AN HTTP Server in 'cmdIS.DLL'. A local user can execute arbitrary code with the privileges of the web service. A remote user can conduct cross-site scripting attacks.

A local user can trigger a buffer overflow in the 'cmdIS.DLL' plugin to execute arbitrary code on the target system. A local user can create a specially crafted BAT file that, when run as a CGI script, will trigger a buffer overflow in copying variables provided by the GetEnvironmentStrings() API function into a potentially smaller buffer.

The server also does not properly validate user-supplied URI input before writing the data to the log file. A remote user can submit specially crafted data that will be logged by the system. Then, when a target administrator views the site, arbitrary scripting code to be executed by the target administrator's browser. The code will originate from the site running the AN HTTP Server software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

The vendor was notified on March 7, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/anhttpd142n.html
http://www.security.org.sg/vuln/anhttpd142n-jp.html

Impact:   A local user can execute arbitrary code on the target system with the privileges of the target web service.

A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the AN HTTP Server software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

Solution:   No solution was available at the time of this entry. The vendor is working on a fix.

The report has provided the following workaround [quoted]:

1. Delete cmdIS.DLL and all sample scripts.
2. Put httpd.log outside the document root.

Vendor URL:  www.st.rim.or.jp/~nakata/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] AN HTTPD Server cmdIS.DLL Buffer Overflow and LogFile


SIG^2 Vulnerability Research Advisory

AN HTTPD Server cmdIS.DLL Buffer Overflow and LogFile Arbitrary 
Character Injection Vulnerabilities

by Tan Chew Keong
Release Date: 07 Apr 2005


ADVISORY URL
http://www.security.org.sg/vuln/anhttpd142n.html
http://www.security.org.sg/vuln/anhttpd142n-jp.html


SUMMARY

AN HTTPD Server (http://www.st.rim.or.jp/~nakata/) is a web server 
software for Windows 95/98/Me/NT/2000/XP platforms. It is easy to use 
and install, and supports SSI and CGI. It is suitable for anyone who 
wants to setup a personal homepage using one's home PC, and it works 
even over dial-up connections.

A buffer overflow vulnerability was found in the cmdIS.DLL plugin 
supplied with AN HTTPD. This vulnerability may be exploited to crash the 
server or to execute arbitrary code. In addition, AN HTTPD does not 
perform filtering of the received URI before writing it out to the 
logfile. Hence, it is possible to inject arbitrary characters into its 
logfile. This may be exploited to corrupt the logfile or to inject fake 
entries. In particular, it is may be possible to inject commands into 
the logfile that can be executed by the cmdIS.DLL plugin.


TESTED SYSTEM

AN HTTPD Server Version 1.42n on English Win2K SP4 and WinXP SP2.


DETAILS

This advisory document two vulnerabilities found in AN HTTPD server. The 
first is a buffer overflow vulnerability that may be remotely exploited 
to crash the server or to execute arbitrary code. The second is a 
logfile arbitrary character injection vulnerability that may be 
exploited to corrupt the logfile, inject fake entries, or inject 
commands that can be executed by cmdIS.DLL.

1. cmdIS.DLL Buffer Overflow Vulnerability.

AN HTTPD server supports the use of BAT files as CGI scripts. The 
cmdIS.DLL plugin that comes with AN HTTPD could be used to parse BAT 
files that are used as CGI scripts. cmdIS.DLL supports only a small 
subset of BAT file commands like echo, set, echo., @echo and type. In 
particular, the set command could be used in a CGI BAT file to display 
the Environment variables. Internally, cmdIS.DLL calls the 
GetEnvironmentStrings API to obtain the Environment variables. The 
results from the API call is copied into a buffer without bounds check. 
This causes a buffer overflow when the total size of the Enviroment 
variables exceed the size of the buffer.

2. Logfile Arbitrary Characters Injection.

AN HTTPD does not perform filtering of the received URI before writing 
it out to the logfile. This makes it possible to inject arbitrary 
characters into the logfile. In particular, it does not filter out CR 
and LF characters in the URI before logging the request. This may be 
exploited to corrupt the logfile or to inject fake entries. It is also 
possible to inject commands into the logfile that can be executed by the 
cmdIS.DLL plugin.


PATCH

Author has acknowledged these vulnerabilities, and will be fixing them 
in the next release. In the meantime, please apply workarounds.


WORKAROUNDS

    1. Delete cmdIS.DLL and all sample scripts.
    2. Put httpd.log outside the document root.


DISCLOSURE TIMELINE

06 Mar 05 - Vulnerability Discovered.
07 Mar 05 - Initial Author Notification.
12 Mar 05 - Second Author Notification.
20 Mar 05 - Third Author Notification.
05 Apr 05 - Fourth Author Notification.
07 Apr 05 - Author Acknowledged Vulnerabilities.
07 Apr 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC