COMMAND

	
		Savant cgitest BoF, crash with negative  Content-Length  and  bad  chars
		usage
	
	

SYSTEMS AFFECTED

	
		Savant 3.1 and possibly previous versions
	
	

PROBLEM

	
		Auriemma Luigi [aluigi@pivx.com], Security Researcher,  PivX  Solutions,
		LLC [http://www.pivx.com/luigi] found :
		

		--snipp--
		

		 A] Cgitest.exe overflow

		 -----------------------

		

		The cgitest.exe program that is  inserted  by  default  in  the  cgi-bin
		directory is vulnerable to a buffer-overflow. The  limit  of  acceptable
		characters is 128 so we need to send only 136 bytes  for  overwrite  EBP
		and EIP registers and crash the server. I don't  think  is  possible  to
		write a good shellcode in this case because the bytes that go  into  the
		stack are few, however an interesting and simple thing is to  point  the
		EIP register to KERNEL32.DLL->ReadFile, because the  server  will  crash
		totally and the administrator will get a nice  blue  screen  (tested  on
		Win9x). During the blue screen the port 80  will  stay  opened  but  the
		server will not answers to client requests.
		

		

		 B] Content-Length crash

		 -----------------------

		

		A nice DoS is the negative Content-Length value. The value  that  Savant
		waits from the user  is  an  integer  and  when  the  attacker  sends  a
		negative number the server will crash. However until the  Windows  error
		message is not acknowledged the server  will  continue  to  run  without
		problems.
		

		

		 C] Authorization bypassing

		 --------------------------

		

		Uhmm the usual Win32 API problem is again our best friend and this  time
		it gives us access to all of the  user  folders  in  Savant  server.  So
		adding the chars ' ' (%20) and '.' (%2e) at  the  end  of  the  filename
		requested we will gain full access to the  password  protected  folders.
		The other  good  news  is  that  the  limit  of  the  network  class  is
		authorized to access to the folder  can  be  bypassed  without  problems
		with this method (so if the admin has a set class  D  only  access,  the
		attacker with any IP have full access without  respecting  this  limit).
		Note: if we want to use the space (' ') char, we must add also  the  '/'
		char after it.
		

		 3) The Code

		 ===========

		

		 A] Cgitest.exe overflow

		 -----------------------

		

		Check my web page for a tiny example  that  causes  a  blue  screen  and
		server  crash  (so  crash  all  the  server  and  not  only  the  single
		connection). I have simply written  the  EIP  00409430  (that  point  to
		KERNEL32.DLL->ReadFile but you can use KERNEL32.DLL->WriteFile too)  for
		having a bad DoS that crashes the server and give blue screen.
		

		Usage: nc <host> 80 -v -v -n < savant-cgitest.txt

		

		http://www.pivx.com/luigi/poc/savant-cgitest.txt

		

		

		 B] Content-Length crash

		 -----------------------

		

		GET / HTTP/1.0

		Content-Length: -1

		

		

		 C] Authorization bypassing

		 --------------------------

		

		http://host/password_folder.

		"GET /password_folder / HTTP/1.0" <-- use with telnet

		http://host/password_folder%2e

		http://host/password_folder%20

		

		--snapp--
	
	

SOLUTION