SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WAWI Vendors:   flippet.org
WAWI Bugs Let Remote Users View Directories and Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017362
SecurityTracker URL:  http://securitytracker.com/id/1017362
CVE Reference:   CVE-2006-6512, CVE-2006-6513, CVE-2006-6514, CVE-2006-6539   (Links to External Site)
Updated:  May 22 2008
Original Entry Date:  Dec 11 2006
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 7.5.13 and prior versions
Description:   Luigi Auriemma reported Several vulnerabilities in the Winamp Web Interface (WAWI) plugin. A remote authenticated user may be able to execute arbitrary code on the target system. A remote authenticated user can view directories on the target system.

A remote user can send a specially crafted HTTP Authorization value to trigger a buffer overflow in the FindBasicAuth() function in 'security.cpp' and cause the target service to crash.

A remote authenticated user with 'Browse' privileges can exploit a validation flaw in the Browse() function in 'browse.cpp' to view a directory listing of arbitrary directories on the target system.

A demonstration exploit URL is provided:

http://[target]/browse?path=%2f..%2f..%2f

A remote authenticated user with appropriate privileges can exploit a buffer overflow in the Browse(), CControl::Download(), and CControl::Load() functions to potentially execute arbitrary code on the target system. A specially crafted 'file' parameter value can trigger this overflow.

A demonstration exploit URL is provided:

http://[target]/dl?file=\file.txt.

A remote authenticated user with 'Download' permissions can submit a download request appended with a '.' dot character to bypass the file extension check and download arbitrary files in the root directory.

In certain cases where similarly named directories exist, a remote authenticated user may be able to browse or download files from a similarly named directory instead of the intended directory.

Impact:   A remote user can cause the target service to crash.

A remote authenticated user may be able to execute arbitrary code on the target system.

A remote authenticated user can view directory listings on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.flippet.org/wawi/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in Winamp Web Interface 7.5.13


#######################################################################

                             Luigi Auriemma

Application:  Winamp Web Interface
              http://www.flippet.org/wawi/
Versions:     <= 7.5.13
Platforms:    Windows (Winamp plugin)
Bugs:         A] buffer-overflow in FindBasicAuth
              B] browsing directory traversal
              C] buffer-overflow in the browse, download and load functions
              D] file extension check bypassing in file downloading
              E] lucky path name
Exploitation: remote, only bug A doesn't require privileges
Date:         10 Dec 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Winamp Web Interface (Wawi) is a nice open source plugin for Winamp
(http://www.winamp.com) which allows the remote administration of the
media player through any web browser.


#######################################################################

=======
2) Bugs
=======


-----------------------------------
A] buffer-overflow in FindBasicAuth
-----------------------------------

FindBasicAuth() is the function located in security.cpp which parses
the Authorization HTTP field of the client's request.
Basically this function places, sequentially, the auth mode and base64
strings containing the username:password fields in the temp buffer of
only 100 bytes and then decodes this string using the userpass buffer
ever of 100 bytes.
The operation is made through the GetAString() function which limits
the strings at 255 chars.

In my tests doesn't seem possible to exploit the bug for executing
remote code.
This is the only vulnerability which doesn't require privileges for
being exploited.


-------------------------------
B] browsing directory traversal
-------------------------------

The Browse() function located in browse.cpp is used for showing the
available files in a specific folder within the root directory.
The function (as all the others in the program) checks the path
received by the client using the GoodPath() function which verifies if
exist risks caused by sequential dots and backslashes (like \..\).

The problem here is that slashes are correctly converted in backslashes
before the calling of this function but the hex slashes %2f aren't
allowing the browsing of any folder (files are limited by the
extensions specified in the configuration) in the disk where is located
the root directory.

As already said only browsing is possible, not downloading.
The attacker needs the "Browse" privilege for exploiting this bug.


-------------------------------------------------------------
C] buffer-overflow in the browse, download and load functions
-------------------------------------------------------------

The Browse(), CControl::Download() and CControl::Load() functions are
affected by some buffer-overflow caused by the creation of a string
containing the root directory plus the path string received from the
client using a buffer of only MAX_PATH bytes (260, the same size of the
client string).

The attacker needs the required privileges related to the function he
wants to exploit.


-----------------------------------------------------
D] file extension check bypassing in file downloading
-----------------------------------------------------

Wawi has also a check for allowing the dowloading of some types of
files by the users with the "Download" permission.
In the "Music Collections" section of the Wawi configuration we can
find two switches for allowing the viewing or the downloading of the
Winamp files and all the others.

CControl::Download() calls the IsWinampFile() function for checking if
the requested filename is supported by Winamp and then allows the
downloading if the related option has been selected.

A dot after the requested filename will allow an attacker with the
"Download" privilege to download any file of any extension located in
the root directory.

Note: this is not really a bug of Wawi but I report it here since it's
one of the rare cases in which it can be exploited maliciously.


------------------
E] lucky path name
------------------

Any of the functions used for handling the files (like browsing,
loading, downloading and so on) requires a backslash before the path
or file name, like http://localhost/browse?path=\
If exists another folder or file which begins with the same name of the
root directory is possible to use it instead of that of the
configuration.

For example if the root directory is c:\folder and the attacker use
http://localhost/browse?path=2 he will browse c:\folder2 if it exists,
or he can also download the file c:\folder2.mp3 ever if it exists.

The required privileges (and the usual luck!) are needed for exploiting
this bug.


#######################################################################

===========
3) The Code
===========


A] http://localhost/browse
   then insert an username longer than 100 chars

B] http://localhost/browse?path=%2f..%2f..%2f

C] http://localhost/dl?file=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC