[NT] MiniWeb Directory Traversal and Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 21 Jan 2008 13:48:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MiniWeb Directory Traversal and Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/miniweb> MiniWeb is "a mini HTTP server
implementation written in C language, featuring low system resource
consumption, high efficiency, good flexibility and high portability". Two
vulnerabilities have been discovered in MiniWeb, these allow a remote
attacker to either cause the product to execute arbitrary code through the
overflowing of an internal buffer, to access files that reside outside the
bounding HTML root directory via a directory traversal vulnerability.
DETAILS
Vulnerable Systems:
* MiniWeb version 0.8.19
Directory Traversal:
An input validation error in the URL request handling in
mwGetLocalFileName() function ( http.c) can be exploited to disclose
arbitrary files (and also Directory listing) outside the web root via
directory traversals attacks via the " /.%2e/" or "/%2e%2e/" sequences
Proof of Concept:
Directory listing:
http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/
Disclose arbitrary files:
http://127.0.0.1:80/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/boot.ini
Heap based buffer overflow vulnerability :
There is also heap based buffer overflow in this web server The
vulnerability is caused due to a boundary error in _mwProcessReadSocket()
function (http.c) when handling HTTP requests. This can be exploited by
sending an overly long, specially crafted request, which can cause a heap
overflow and allow arbitrary code execution with the privileges of the web
service.
Proof of Concept :
GET /AAAA...[3600 - 4000]...AAAA/ HTTP/1.0
ADDITIONAL INFORMATION
The information has been provided by <mailto:ebadi@xxxxxxxxxx> Hamid
Ebadi.
The original article can be found at:
<http://www.bugtraq.ir/adv/miniweb-english.pdf>
http://www.bugtraq.ir/adv/miniweb-english.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability
- Next by Date: [NEWS] Firefox chrome: URL Handling Directory Traversal
- Previous by thread: [NEWS] Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability
- Next by thread: [NEWS] Firefox chrome: URL Handling Directory Traversal
- Index(es):
Relevant Pages
|
|
