[Full-disclosure] Directory traversal in the webadmin of Unreal Tournament 3 1.3
###
Luigi Auriemma
Application: Unreal Tournament 3
http://www.unrealtournament3.com
Versions: 1.3 ONLY (both build 3601 and 3614)
older versions are safe
Platforms:Windows and Linux
Bug: directory traversal in the web interface
Exploitation: remote, versus server
Date: 21 Sep 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Unreal Tournament 3 (UT3) is the latest game of the famous homonim
series developed by Epic Games (http://www.epicgames.com).
###
==
2) Bug
==
UT3, as any other game based on the Unreal engine, has an internal web
server called uWeb for controlling the own server remotely using a web
browser.
This interface is disabled by default and in the case of UT3 are needed
the additional files located on http://ut3webadmin.elmuerte.com (choice
made by Epic for fixing possibly issues more quickly).
In the last 1.3 patch released the 13th August 2008 has been made a bad
and unusual modification to uWeb.
In fact the WebAdmin component is composed by two sub components/classes
called UTServerAdmin (used for everything) and UTImageServer used only
for the handling of the HTTP requests for the files in the /images
folder.
In the script of the ImageServer component in version 1.3 has been made
the following change which has removed the limitation of downloading
only files with the extentions JPG, JPEG, GIF, BMP and PNG:
ImageServer.uc of version 1.2:
...
else
{
Response.HTTPError(404);
return;
}
Response.IncludeBinaryFile( Path $ Image );
ImageServer.uc of version 1.3:
...
else
{
Response.SendStandardHeaders("application/octet-stream", true);
}
Response.IncludeBinaryFile( Path $ Image );
Not a so dangerous thing except that the directory traversal which has
EVER affected this part of the engine and which has never been possible
to exploit due to the filters on the extensions of the requested files
(an image can't be classified as "sensible" data moreover if there is
no way to know the exact locations of these files) now allows any
external unauthenticated attacker to download files from the system.
In fact when a file is requested the engine first looks in the home
folder of the user who has launched the UT3 server (for example
"C:\Documents and Settings\Administrator\My Documents\My Games\Unreal
Tournament 3") because the configuration files used by the server are
located just there and then in the folder of the game, so having the
server installed on another partition doesn't limit the problem.
For example, it's enough to request the file
"/images/../../UTGame/Config/UTGame.INI" to see all the configuration
of the server which includes also the admin password to gain access to
the same webadmin interface.
In the example I have used the INI extension instead of ini because
this particular extension seems filtered internally so it's enough to
use one or more upper case chars in it to bypass the check while there
are no strange behaviours for the other extensions or files.
###
===
3) The Code
===
http://aluigi.org/poc/ut3webown.txt
nc SERVER 80 -v -v < ut3webown.txt
###
==
4) Fix
==
No fix
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Failed assertion in the Unreal engine
### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Versions: the games which have been tested and resulted vulnerable are Unreal Tournament 3 1.3, Unreal Tournament 2003 and 2004, Dead Man's Hand, Pariah, WarPath, Postal2, Shadow Ops and possibly others. instead those which "seem" to be not vulnerable (using their default configuration) are: Fuel of War, America's Army, Men of Valor, Star Wars Republic Commando, SWAT4 and some older gamess based on the Unreal engine 1 (like UT'99) Platforms:Windows, Linux, Mac Bug: server termination caused by failed assertion Exploitation: remote, versus server Date: 16 Sep 2008 Thanx to: Luigi "Gioggiolo" Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ### == 2) Bug == Exists an assert() in the Unreal engine which shuts down the engine if the "Closing" flag in UnChan.cpp is set, probably referred to the closed state of output channel: "Assertion failed: !Closing [File:.\UnChan.cpp] [Line: XXX]" The only way I have found for exploiting this vulnerability is through the request of downloading two or more files from the server, which means that the attacker must join the target server because doesn't seem possible to use the File channel from outside. I'm not aware of other easiest or alternative ways for exploiting this specific vulnerability. ### === 3) The Code === http://aluigi.org/fakep/unrealfp.zip unrealfp -d all SERVER PORT #a## == 4) Fix == No fix Exist at least 2 easy work-arounds for this vulnerability: - setting "AllowDownloads=false" in the INI file of the game. naturally this method can't solve the problem if exist other ways (of which I'm not aware at the moment) to exploit this vulnerability - disabling the "!Closing" assertion (tests performed on the Windows and Linux servers of some games), the list of the bytes to modify with a hex editor is available here: http://aluigi.org/patches/unrealoadfix.txt - there is a "strange" way that has avoided the termination of the server (and I report it here only for thoroughness) through the enabling of the map voting (like [xVoting.xVotingHandler] and bMapVote=True in the INI of UT2003 and UT2004) ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Clients format strings in the Unreal engine
### Luigi Auriemma Application: Unreal engine http://www.unrealtechnology.com Versions: almost any game which uses the Unreal engine is affected by this vulnerability except some like Unreal Tournament 2004, Dead Man's Hand and possibly other old games Platforms:Windows, Linux, Mac Bug: format string Exploitation: remote, versus client Date: 11 Sep 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ### == 2) Bug == The Unreal engine is affected by some format string vulnerabilities which can be exploited by a malicious server when the victim client connects to it. The main format string can be exploited through a malformed CLASS parameter of the DLMGR command but another one seems to be exploitable through the forcing of the download of a malformed package (PKG). Some older games instead can be exploited through a malformed LEVEL parameter of the WELCOME command. The bug is caused by the calling of _vsnwprintf_s or _vsnwprintf for building an error message to visualize to the user (for example for a missing class) using a max size of 4 kilobytes and, naturally, without passing the needed format argument. ### === 3) The Code === http://aluigi.org/testz/unrealts.zip http://aluigi.org/poc/unrealcfs.txt - unrealts unrealcfs.txt (or "unrealts -x 2 unrealcfs.txt" for the Unreal 3 engine, use -x for others) - open the console of your client (~) and type: open 127.0.0.1: ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server termination in the Unreal engine 3
### Luigi Auriemma Application: Unreal engine 3 http://www.unrealtechnology.com Versions: the bug affects various games which use the Unreal engine 3 like Unreal Tournament 3 1.3, Frontlines: Fuel of War 1.1.1 and so on Turning Point: Fall of Liberty is NOT vulnerable note: the proof-of-concept used for testing this bug has caused also the termination of other older games like Star Wars Republic Commando, Pariah, Warpath and Shadow Ops (no additional checks have been performed on them) Platforms:Windows, Linux, Mac Bug: server termination caused by failed memory allocation Exploitation: remote, versus server Date: 11 Sep 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Unreal engine is the game engine developed by Epic Games (http://www.epicgames.com) and used in many famous commercial games of which the main example is just the lucky Unreal Tournament series. ### == 2) Bug == The problem is located in the function which reads the strings from the packet where is located a 32 bit number (was an index number in the previous Unreal engine 1 and 2) which specifies the size in bytes of the subsequent string to read. This function removes the sign of the number if it's negative and then tries to allocate an amount of memory double than this value because the new buffer is used for containing the unicode version of the string. Before copying the data is performed an additional check on the sign of the value for avoiding integer overflows (for example using the value 0x8000). If an attacker uses a 32 bit number major than how much allocable on the system (like 0x7fff) the engine terminates immediately showing a log message like the following: Critical: Ran out of virtual memory. To prevent this condition, you must free up more space on your primary hard disk." Turning Point: Fall of Liberty is another game which uses the Unreal engine 3 but, differently to the others tested by me, the function which allocates the memory doesn't shut down the entire game for reporting the error but simply returns a NULL value (like a classical malloc) which is correctly handled and so the game is not vulnerable. The attack can be performed versus the server using one simple UDP packet with the possibility of spoofing it. ### === 3) The Code === http://aluigi.org/poc/ut3sticle.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in Ventrilo 3.0.2
### Luigi Auriemma Application: Ventrilo http://www.ventrilo.com Versions: <= 3.0.2 Platforms:Windows, Linux i386, Solaris SPARC, Solaris x86, FreeBSD i386, NetBSD i386, Mac OSX PowerPC Bug: NULL pointer Exploitation: remote, versus server Date: 13 Aug 2008 Authors: Andre Malm Luigi Auriemma web: sheepa.org e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Ventrilo is one of the most knwon and used voice chat softwares for gamers. ### == 2) Bug == Despite the vice of the Ventrilo developers of changing the protocol of their application enough often (like the recent senseless additional encryption keys located on their centralized servers needed for the handshake and the in-game packets of the 3.x servers), the first packet sent to a Ventrilo server has ever the same format on any new and old version: type 0, version and two random strings. If the server receives a version string different than its one it sends an "Incompatible version" error message to the client and skips the instructions that create the random keys used for the encryption and decryption of all the subsequent packets. So if an attacker supplies an invalid version and sends another packet with any content in it, the server crashes due to the key assigned for the decryption of the client's packets which is still unitialized (in fact the NULL pointer exception happens just in the decryption function). ### === 3) The Code === http://aluigi.org/poc/ventrilobotomy.zip ### == 4) Fix == No official fix. I have written an universal work-around which works with any version and platform (SPARC and Mac OSX excluded) of the dedicated server: http://aluigi.org/patches/ventrilobotomyfix.zip ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop and resources consumption in Halo 1.0.7.0615
### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.0.7.0615 (before 30 Jul 2008) Platforms:Windows Bugs: A] endless loop B] resources consumption Exploitation: remote, versus server Date: 06 Aug 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ### === 2) Bugs === --- A] endless loop --- The Halo server is affected by a problem in the handling of a type of packet which can cause the bypassing of a check used to avoid the reading of data outside the packet. The result is an endless loop which freezes the application with CPU at 100%. B] resources consumption When a client occupies the player's slot after joininig the match, the Halo server continues to send packets to it forever because it stops only if an ICMP "destination unreachable" or a disconnection packet is received (doesn't exist a timeout, this is the cause of the problem). This has been tested personally by me and after a week I was still receiving these packets because many servers have firewalls which block ICMP and so there is no way to stop this problem except restarting the server. If the player has not occupied the slot yet (so before the handshake performed by the Gamespy SDK), the sending of packets made by the server is only 60 seconds long. So if an attacker has disabled the outgoing ICMP packets, which is default on any Windows with the firewall activated, he can consume a part of the network bandwidth of the server and mainly its memory with the consequent possible crash or hanging of the application. Note that, as already said, a handshake is required for occupying the slot so is not possible to spoof the packets which instead is possible for the second method of the 60 seconds. ### === 3) The Code === A] http://aluigi.org/poc/haloloop3.zip B] http://aluigi.org/poc/halonso.zip ### == 4) Fix == The hotfix released the 30th July 2008 solves these problems. Note that this hotfix has the same version number of the previous one released a month before for the haloloop2 bug: 1.0.7.0615. ####### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server termination in America's Army 2.8.3.1
### Luigi Auriemma Applications: America's Army http://www.americasarmy.com Versions: <= 2.8.3.1 Platforms:Windows (tested), Linux and Mac Bug: server termination due to failed assertion Exploitation: remote, versus server Date: 02 Aug 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From Wikipedia: "America's Army (also known as AA or Army Game Project) is a tactical multiplayer first-person shooter owned by the United States Government and released as a global public relations initiative to help with U.S. Army recruitment." ### == 2) Bug == The AA server can be terminated remotely through a specific single spoofable UDP packet which leads to a failed assertion: "Assertion failed: VoiceIndexhttp://aluigi.org/poc/armynchia.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in Unreal Tournament 2004 v3369
### Luigi Auriemma Application: Unreal Tournament 2004 http://www.unrealtournament2003.com/ut2004/index.html Versions: <= v3369 Platforms:Windows and Linux Bug: NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Unreal Tournament 2004 is a well known FPS game developed by Epic Games (http://www.epicgames.com) and released at the beginning of the 2004. ### == 2) Bug == Through a specific sequence of packets an attacker is able to crash the UT2004 server due to a NULL pointer exception. ### === 3) The Code === http://aluigi.org/poc/ut2004null.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Memory corruption and NULL pointer in Unreal Tournament III 1.2
### Luigi Auriemma Application: Unreal Tournament III http://www.unrealtournament3.com Versions: <= 1.2 and 1.3beta4 Platforms:Windows (tested), Linux, PS3 and Xbox360 Bugs: A] memory corruption B] NULL pointer Exploitation: remote, versus server Date: 30 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Unreal Tournament III is the latest game (2007) of the Unreal series created by Epic Games (http://www.epicgames.com). ### === 2) Bugs === A] memory corruption UT3 is affected by a problem in the handling of a specific type of packet. In this particular type of packet there is a 16 bit field which specifies the size of the data that follows and if this string is longer than about 172 bytes a memory corruption will occur allowing an attacker to control various registers which could allow the execution of malicious code. --- B] NULL pointer --- If the amount of data about I talked previously is bigger than the total size of the packet the string will not be read and a NULL pointer exception will occur. This type of bug is easily recognizable on the server because the message "Error: Attempted to multiply free a voice packet" is displayed before the crash when the malformed packet is received. ### === 3) The Code === http://aluigi.org/poc/ut3mendo.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in ZDaemon 1.08.07
### Luigi Auriemma Application: ZDaemon http://www.zdaemon.org Versions: <= 1.08.07 Platforms:Windows and Linux Bug: NULL pointer Exploitation: remote, versus server (in-game) Date: 21 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === ZDaemon is one of the most played multiplayer ports of the Doom engine and at the same time one of the most criticized too. ### == 2) Bug == The ZDaemon server is affected by a NULL pointer vulnerability which allows an attacker to crash it when a specific type of command (type 6) is used. The attacker needs to join the server for exploiting this bug so his IP address must be not banned and he must know the right keyword if the server is protected with a password. ### === 3) The Code === http://aluigi.org/poc/zdaemonull.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org http://backup.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop in Soldner 33724
### Luigi Auriemma Application: SÖLDNER - Secret Wars http://www.secretwars.net http://soldner.jowood.com Versions: <= 33724 Platforms:Windows Bug: endless loop Exploitation: remote, versus server Date: 01 Jul 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === SÖLDNER is a tactical military game developed by Wings Simulations and released in May 2004. ### == 2) Bug == Each UDP packet for this game can contain various blocks of data. The type 0x80 forces the server to perform a cycle from zero to the 32 bit number (so max 0x) specified in that data block. The maximum size of a packet supported by the game is 1400 bytes in which is possible to place max 233 blocks of this type causing the freeze of a server for over 2 hours (tested with a fast CPU). ### === 3) The Code === http://aluigi.org/poc/usurdat.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop in Halo 1.07
### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.07 Platforms:Windows Bug: endless loop Exploitation: remote, versus server Date: 29 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ### == 2) Bug == This vulnerability is exactly like the old one I found over 3 years ago in version 1.06 (haloloop) and which was fixed (or it's the case of saying partially fixed) in version 1.07: an endless loop caused by a malformed in-game packet which freezes completely the server. ### === 3) The Code === http://aluigi.org/poc/haloloop2.zip ### == 4) Fix == No fix. ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Double Denial of Service in Call of Duty 4 1.6
Version 1.7 of CoD4, released yesterday, is vulnerable too. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in S.T.A.L.K.E.R. 1.0006
### Luigi Auriemma Application: S.T.A.L.K.E.R.: Shadow of Chernobyl http://www.stalker-game.com Versions: <= 1.0006 Platforms:Windows Bugs: A] IPureServer::_Recieve buffer-overflow B] NET_Compressor::Decompress integer overflow C] MultipacketReciever::RecievePacket INT3 Exploitation: remote, versus server (probably clients too) Date: 28 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === S.T.A.L.K.E.R. is a FPS game developed by GSC Game World (http://www.gsc-game.com) and released at the beginning of the 2007 (the Clear Sky sequel is planned for the next months). ### === 2) Bugs === A] IPureServer::_Recieve buffer-overflow MultipacketReciever::RecievePacket is a function used in the game when a packet beginning with the byte 0x39 is received. The main actions performed by this function are: - checking if a specific value in the packet is equal to 0xe0 or 0xe1 - calling NET_Compressor::Decompress for checking the availability of compressed data and decompress it through the lzo1x algorithm and a specific dictionary (mp\lzo-dict.bin) - calling _Recieve for handling the content of this data The _Recieve function gets the 16 bit number specified in the incoming packet and uses memcpy with a 8 kilobytes stack buffer as destination, the data from the packet as source and that 16 bit value as amount of bytes to copy. Each UDP packet in S.T.A.L.K.E.R. has a maximum size of 1472 bytes but through the LZO compression implemented in the game is possible to place up to 32 kilobytes of data in the packet resulting in a stack based buffer-overflow fully controllable by the attacker. -- B] NET_Compressor::Decompress integer overflow -- This function checks if a specific byte in the packet is equal to 0xc1 in which case is performed a CRC check and the decompression of the data using the rtc9_decompress function (lzo1x_decompress_dict_safe). If the data is not compressed the function gets the current size of the data in the packet and performs a memcpy(dst, data, data_size - 1), so the sending of a packet without data causes a crash of the server due to the copying of 0x (0 - 1) bytes. -- C] MultipacketReciever::RecievePacket INT3 -- One of the first operations made by this interesting function is checking if a certain byte in the packet is equal to 0xe0 or 0xe1 otherwise an INT3 instruction is executed leading to the immediate termination of the server: 01906F33 8A45 00 MOV AL,BYTE PTR SS:[EBP] 01906F36 3C E1CMP AL,0E1 01906F38 56 PUSH ESI 01906F39 57 PUSH EDI 01906F3A 894C24 18MOV DWORD PTR SS:[ESP+18],ECX 01906F3E 74 05JE SHORT xrNetSer.01906F45 ; jump if 0xe1 01906F40 3C E0CMP AL,0E0 01906F42 74 01JE SHORT xrNetSer.01906F45 ; jump if 0xe0 01906F44 CC INT3; boom The attacker needs to join the server for exploiting the above vulnerabilities, but although it supports the banning of the IP addresses is possible to spoof the packets and bypassing this limitation due to the lack of handshakes in the protocol of the game. ### === 3) The Code === http://aluigi.org/poc/stalker39x.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in World in Conflict 1.008
### Luigi Auriemma Application: World in Conflict http://www.worldinconflict.com Versions: <= 1.008 Platforms:Windows Bug: NULL pointer Exploitation: remote, versus server Date: 22 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === World in conflict is a RTS game developed by Massive Entertainment (http://www.massive.se) and released in the 2007. ### == 2) Bug == The WIC server can be easily crashed through an access violation caused by a NULL pointer resulted by the receiving of a data block of zero bytes to the main TCP game port (default 48000). ### === 3) The Code === http://aluigi.org/poc/wicboom.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Double Denial of Service in Call of Duty 4 1.6
### Luigi Auriemma Application: Call of Duty 4: Modern Warfare http://www.callofduty.com Versions: <= 1.6 Platforms:Windows (tested) and Linux Bugs: A] "Attempted to overrun string in call to va()" DoS B] "callvote map" Denial of Service Exploitation: remote, versus server (in-game) Date: 22 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Call of Duty 4 (CoD4) is the most recent and played game of the homonym series created by Infinity Ward (http://www.infinityward.com) with over 15000 internet servers. ### === 2) Bugs === A] "Attempted to overrun string in call to va()" DoS va() is a function of the Quake 3 engine used to quickly build strings using snprintf and a static destination buffer. If the generated string is longer than the available buffer the server shows an "Attempted to overrun string in call to va()" error and terminates. >From Call of Duty 2 (and consequently CoD4) the size of this buffer has been reduced from the original 32000 bytes to only 1024 causing many problems to the admins, for which reason I created an unofficial fix for CoD2 in the far 2006 (http://aluigi.org/patches/cod2vawo.lpatch). So in CoD4 an attacker which has joined the server can exploit this vulnerability through the sending of a command longer than 1024 bytes causing the immediate termination of the server. --- B] "callvote map" Denial of Service --- The "callvote map" buffer-overflow is an old problem which was reported to me by Sindre Dahl in the 2006 affecting all the CoD1 and CoD2 servers (http://aluigi.org/adv/codmapbof-adv.txt) This vulnerability affects also CoD4 altough with some differences: the name of the map needed to exploit this bug must be long at least 248 bytes and doesn't seem to exist a concrete way to control the code flow, so the only effect is the crash of the server and not code execution as for the other two games. The callvote command works when in a server there are at least two players (if the server is empty the needed one can be a fake player generated with "q3fill -1") and the vote must pass. For some unknown reasons in my tests was necessary to launch callvote two times for exploiting the bug. For both the vulnerabilities the attacker must join the server so if it's protected by password he must know the right keyword and his IP/guid/cdkey must be not banned. ### === 3) The Code === http://aluigi.org/poc/cod4vamap.zip copy the files in the "main" folder of CoD4 and then type A] /exec cod4va B] /exec cod4map ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server freezed in Skulltag 0.97d2-RC2
### Luigi Auriemma Application: Skulltag http://www.skulltag.com Versions: <= 0.97d2-RC2 Platforms:Windows, Linux and FreeBSD Bug: loop during the parsing of the packets Exploitation: remote, versus server Date: 16 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Skulltag is a port of the original Doom mainly focused on multiplayer gaming. ### == 2) Bug == Skulltag is affected by a problem in the parsing of some packets with the result of freezing the entine server for some seconds through the sending of a single big malformed packet which is parsed multiple times. This Denial of Service can be made endless using multiple malformed packets at regular intervals. ### === 3) The Code === http://aluigi.org/poc/skulltagloop.zip ### == 4) Fix == Version 0.97d2-RC3 ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in the HTTP/XML-RPC service of Crysis 1.21
### Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Versions: <= 1.21 (1.1.1.6156 showed as gamever) Platforms:Windows Bug: NULL pointer in the HTTP/XML-RPC service Exploitation: remote, versus server Date: 16 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007. This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters. ### == 2) Bug == Crysis has a small internal HTTP/XML-RPC server which must be activated with the http_startserver command (manually or through server.cfg) and allows to receive rcon commands. This service works on port 80 if no port is specified but usually the admins choose a custom port or just the same of the game (64087, the service is easily distinguishable due to the "Bad Request" title visible with a web browser). If an attacker uses an HTTP request with a total length major than 4096 bytes the server will crash due to a NULL pointer. ### === 3) The Code === http://aluigi.org/poc/dontcrysis.txt nc SERVER HTTPPORT -v -v < dontcrysis.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Denial of Service in S.T.A.L.K.E.R. 1.0006
### Luigi Auriemma Application: S.T.A.L.K.E.R.: Shadow of Chernobyl http://www.stalker-game.com Versions: <= 1.0006 Platforms:Windows Bug: Denial of Service Exploitation: remote Date: 15 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === S.T.A.L.K.E.R. is a FPS game developed by GSC Game World (http://www.gsc-game.com) and released at the beginning of the 2007 (the Clear Sky sequel is planned for the next months). ### == 2) Bug == The server of this game can be easily terminated remotely through the usage of a nickname longer than 64 bytes which will reaise an exception. If the server is protected by password the attacker must know the right keyword to exploit the vulnerability. Although the server supports the banning of the IP addresses is possible to spoof packets and bypassing this limitation due to the lack of handshakes in the protocol of the game. ### === 3) The Code === http://aluigi.org/poc/stalkerboom.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Informations disclosure in Crysis 1.21
### Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Versions: <= 1.21 (1.1.1.6156 showed as gamever) Platforms:Windows Bug: informations disclosure Exploitation: remote versus both clients and servers Date: 15 Jun 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007. This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters. ### == 2) Bug == Crysis is affected by a strange design error which consists in appending various internal network informations in its disconnect and error packets. For example, if we send a keyexchange packet (0x8c) without having sent the previous join packet (0x07) the server will reply with a disconnect packet (0x08) containing a "KeyExchange1 with no connection" error message followed by usually 16 lines of internal logs which include various real-time informations like IP addresses, nicknames and status of the clients (which so can be disconnected through spoofed disconnect packets), details about PunkBuster like paths, screenshosts, bans, checks and GUIDs of the players, status of the Gamespy SDK (stats, failed cdkey checks, communication with the master server and so on) and other plus or less sensitive informations. Naturally this problem affects both servers and clients so is possible to see also the real-time network logs of any client which is playing on a server since both the IP and the port are visible in its logs in some moments. ### === 3) The Code === http://aluigi.org/poc/crysislog.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-08-034: HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow Vulnerability
> During the handling of an encoded authentication request, the process > copies the user-supplied login information into a fixed length stack > buffer This one seems exactly the same vulnerability I disclosed in February 2008 and for which I wrote also a testing attack (number 7) in my doubletakedown proof-of-concept: http://aluigi.org/adv/doubletakedown-adv.txt Anyway it's an old version of Double-Take so should be not considered, in fact I mentioned that old bug in my advisory only for thoroughness but without the minimal consideration since the bug was already found and patched by the same vendor (Double-Take, not HP). --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in WebMod 0.48
###
Luigi Auriemma
Application: WebMod
http://www.djeyl.net/w.php
Versions: <= 0.48
Platforms:Windows and Linux
Bugs: A] directory traversal
B] Cookie buffer-overflow
C] parser.cpp arbitrary memory writing
D] scripts source disclosure
Exploitation: remote
Date: 03 May 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
WebMod is an open source MetaMod plugin which acts as a web server for
Half-Life running on the equivalent TCP port of the UDP one used by the
game.
###
===
2) Bugs
===
--
A] directory traversal
--
WebMod uses an anti-directory traversal check which searchs for any
"../" pattern in the HTTP request of the client.
So it's enough to use a "..\" pattern to bypass the check and being
able to download any file from the disk where Half-Life is running
included the configuration files of the game server (like
..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg).
Note that this bug works only on Windows servers.
>From server.cpp:
void clientHandle(int connfd, httpquery_t *query, int tid)
...
if(strstr(str,"../")) // hack attempt, display index page
{
str[0]='\0';
}
-
B] Cookie buffer-overflow
-
A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a
stack based buffer-overflow.
>From server.cpp:
void connectHandle(void *data)
{
char *input;
char buf[MYSOCK_BUFLEN+1];
...
for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++)
buf[j]=input[i];
--
C] parser.cpp arbitrary memory writing
--
The functions in parser.cpp are affected by some memory corruption
vulnerabilities with different effects depending by the type of
variable/script used.
In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to
the writing of custom data in a custom memory address through strcat
(auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory
access (the rconpass parameter of auth.w) and so on.
D] scripts source disclosure
Adding a dot at the end of the requested URI allows the viewing of the
script source code instead of executing it.
This bug (which should work only on FAT/NTFS filesystems) can be
considered a security vulnerability ONLY if the server runs custom
scripts.
###
===
3) The Code
===
http://aluigi.org/poc/webmodz.zip
nc SERVER PORT -v -v < webmodz1.txt
nc SERVER PORT -v -v < webmodz2.txt
nc SERVER PORT -v -v < webmodz3.txt
nc SERVER PORT -v -v < webmodz4.txt
###
==
4) Fix
==
No fix
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Denial of Service in Call of Duty 4 1.5
### Luigi Auriemma Application: Call of Duty 4: Modern Warfare http://www.callofduty.com Versions: <= 1.5 Platforms:Windows (tested) and Linux Bug: Denial of Service Exploitation: remote, versus server (in-game) Date: 02 May 2008 Thanx to: Chronos for the additional tests Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Call of Duty 4 (CoD4) is the most recent and played game of the homonym series created by Infinity Ward (http://www.infinityward.com) with over 15000 internet servers. ### == 2) Bug == In CoD4 has been introduced a new type of connectionless command (like getinfo, getstatus, connect and so on) called "stats" that seems related to player statistics and can be of 6 types which are sent by the client in sequential order just after having joined the remote game. Exists an additional type (7) which is accepted by the server and if a client uses it the remote server will crash due to a memcpy() with a negative size value (the attacker has no control over the source data and this value). The stats packet requires that the client is in the server since the qport value specified in it and both IP and port must match those used by the player, so the attacker must know the password if the server is protected, being not banned and moreover having a valid cdkey if the internet server requires it. ### === 3) The Code === - plugin for the sudppipe proxy which modifies any stats packet enabling type 7: http://aluigi.org/mytoolz/sudppipe.zip http://aluigi.org/poc/cod4statz_sudp.zip Usage example: sudppipe -l cod4statz_sudp.dll SERVER PORT 2 then from the CoD4 client type: connect 127.0.0.1:2 the plugin does a very simple job, when a "stats" packet is received it places the 0x07 byte at offset 12. - stand-alone proof-of-concept which works versus servers without authorization (like LAN servers) for quickly testing the own servers without the need of using a CoD4 client: http://aluigi.org/poc/cod4statz.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
> Autonomy Keyview Folio Flat File Parsing Buffer Overflows > Autonomy Keyview Applix Graphics Parsing Vulnerabilities > Autonomy Keyview EML Reader Buffer Overflows > activePDF DocConverter Folio Flat File Parsing Buffer Overflows > activePDF DocConverter Applix Graphics Parsing Vulnerabilities > Lotus Notes Applix Graphics Parsing Vulnerabilities > Lotus Notes Folio Flat File Parsing Buffer Overflows > Lotus Notes EML Reader Buffer Overflows > Lotus Notes kvdocve.dll Path Processing Buffer Overflow > Lotus Notes htmsr.dll Buffer Overflows > Symantec Mail Security Folio Flat File Parsing Buffer Overflows > Symantec Mail Security Applix Graphics Parsing Vulnerabilities 12 mails for the same library? >From what I have understood all the bugs are just in this Autonomy Keyview library so in my opinion reporting the same identical bugs in each software which uses this thirdy part component and additionally without saying that the problem in reality is in the library is wrong and leads to a lot of confusion. It's just like if someone finds a bug in zlib and releases 1 advisories, one for each program in the world which uses the library... the bug is not in these 10000 programs but only in zlib. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53
###
Luigi Auriemma
Application: HP OpenView Network Node Manager
http://www.openview.hp.com/products/nnm/
Versions: <= 7.53
Platforms:Windows (tested), Solaris, Linux, HP-UX
Bugs: A] CGIs directory traversal
B] Denial of Service in ovalarmsrv
C] NULL pointer in ovalarmsrv
D] process termination in ovtopmd
Exploitation: remote
Date: 11 Apr 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
>From vendor's website:
OpenView NNM "automates the process of developing a hyper-accurate
topology of your physical network, virtual network services and the
complex relationships between them. It then uses that topology as the
basis for intelligent root cause analysis to enhance network
availability and performance."
###
===
2) Bugs
===
---
A] CGIs directory traversal
---
The CGIs available in NNM use some instructions which filters malicious
chars in the parameters passed by the clients, for example to avoid
directory traversal attacks, XSS and so on.
The path delimiter filtered by these CGIs is the backslash char, so
using the slash will allow an attacker to download the files from the
disk on which is installed NNM.
--
B] Denial of Service in ovalarmsrv
--
The ovalarmsrv service listening on port 2954 can be easily freezed
with CPU at 100% and without the possibility of handling further
requests on both its ports 2953 and 2954 simply sending an incomplete
multi line request.
In short the last numeric parameters of the requests 25, 45, 46, 47 and
81 is used to specify how much sub-arguments (one per line) will be
sent.
So ovalarmsrv starts a loop which terminates when all the sub arguments
are received; closing the connection or not sending all or part of
these arguments will freeze the entire service.
The following are all the supported requests and their "sscanf" format:
REQUEST_CONTRIB_EVENTS (22): "%d %d %s"
REQUEST_PRINT (25): "%d %d %d %d %s"
REQUEST_DETAILS (33): "%d %d %s"
REQUEST_EVENT_DELETE(35): "%d %d %s"
REQUEST_EVENT_ACK (36): "%d %d %s"
REQUEST_RUN_ACTION (37): "%d %d %s %s"
REQUEST_SPECDATA(41):
REQUEST_EVENT_UNACK (44): "%d %d %s"
REQUEST_SAVE(45): "%d %d %d %d %s"
REQUEST_CAT_CHANGE (46): "%d %d %d %[^\n]"
REQUEST_SEV_CHANGE (47): "%d %d %d %[^\n]"
REQUEST_CONF_ACTIONS(48): "%d %d\n"
REQUEST_RESTORE_STATE (62): "%d %[^\n]"
REQUEST_SAVE_DIR(63):
REQUEST_LOCALE (66): "%d"
REQUEST_FORMAT_PRINT(81): "%d %d %d %d %s"
REQUEST_CONF_RUN_ACTION (??): "%d %d %d %[^\n]"
-
C] NULL pointer in ovalarmsrv
-
The parameter which specifies the amount of sub-arguments described
above is used to allocate a certain amount of initial dynamic memory
(value * 2) for storing all the sub-arguments which is then
reallocated wheen needed.
Specifying a too big unallocable amount of sub-arguments results in a
NULL pointer which will crash the service.
-
D] process termination in ovtopmd
-
The ovtopmd service listening on port 2532 uses a special type of
packet (0x36) for forcing the termination of the process ("Exiting due
to request of ovtopmd -k."), so an attacker can use this packet for
causing a Denial of Service.
###
===
3) The Code
===
A]
http://SERVER/OvCgi/OpenView5.exe?Target=Main&Action=../../../../../../windows/win.ini
B,C,D]
http://aluigi.org/poc/closedviewx.zip
nc SERVER 2954 -v -v -w 2 < closedviewx1.txt
nc SERVER 2954 -v -v < closedviewx2.txt
nc SERVER 2532 -v -v < closedviewx3.txt
###
==
4) Fix
==
HP has been alerted and is working on a fix
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple vulnerabilities in HP OpenView NNM 7.53
Forget the yesterday's advisory, the setup didn't installed the 7.53 patches from the ISO and so I was working on an old version. The following is a new vulnerability tested on 7.53: http://aluigi.org/adv/closedview-adv.txt --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in HP OpenView NNM 7.53
### Luigi Auriemma Application: HP OpenView Network Node Manager http://www.openview.hp.com/products/nnm/ Versions: <= 7.53 Platforms:Windows (tested), Solaris, Linux, HP-UX Bugs: A] format string in ovalarmsrv B] multiple buffer-overflows in ovalarmsrv C] Denial of Service in ovalarmsrv Exploitation: remote Date: 07 Apr 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: OpenView NNM "automates the process of developing a hyper-accurate topology of your physical network, virtual network services and the complex relationships between them. It then uses that topology as the basis for intelligent root cause analysis to enhance network availability and performance." ### === 2) Bugs === -- A] format string in ovalarmsrv -- The ovalarmsrv.exe process listening on port 2953 is affected by a format string vulnerability caused by the calling of ov.fprintf_new (which then calls vsprintf) using the final message without a format argument: "Connection Refused; Data in listener port corrupt: ATTACKER_STRING" -- B] multiple buffer-overflows in ovalarmsrv -- The same process listens also on port 2954 where are handled some types of requests using specific sscanf formats: REQUEST_SEV_CHANGE(47): "%d %d %d %[^\n]" REQUEST_SAVE_STATE(61): "%d %[^\n]s" REQUEST_LOCAL (66): "%d" REQUEST_RESTORE_STATE (62): "%d %s" REQUEST_SAVE_DIR (63): As visible by the previous format arguments there are no checks on the length of the client string handled by the requests 47, 61 and 62 which can be used to exploit a stack based buffer-overflow vulnerability using a string parameter longer than 512 bytes. -- C] Denial of Service in ovalarmsrv -- Another problem of the ovalarmsrv service is that it can be easily freezed with CPU at 100% and without the possibility of handling further requests on port 2953/2954 simply sending some invalid values. ### === 3) The Code === A] echo %n%n%s%n%n%s | nc SERVER 2953 -v -v B] echo 62 A...512_'A's...A | nc SERVER 2954 -v -v C] echo 47 1 2 what_you_want | nc SERVER 2954 -v -v -w 1 ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal in LANDesk Management Suite 8.80.1.1
### Luigi Auriemma Application: LANDesk Management Suite http://www.landesk.com/products/ldms/index.aspx Versions: <= 8.80.1.1 Platforms:Windows Bug: directory traversal Exploitation: remote Date: 01 Apr 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === LANDesk is a well known system management software. ### == 2) Bug == The PXE TFTP Service is vulnerable to a classical directory traversal vulnerability exploitable through the adding of one or more chars before the usual dotdot pattern. The interesting thing is that version 8.80.1.1 has been released just to fix another directory traversal vulnerability. ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx SERVER x\..\..\..\..\..\..\..\boot.ini none tftpx SERVER what_you_want/../../../../../../../windows/win.ini none ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal in 2X ThinClientServer v5.0_sp1-r3497
### Luigi Auriemma Application: 2X ThinClientServer http://www.2x.com/thinclientserver/ Versions: <= v5.0_sp1-r3497 (TFTPd.exe <= 3.2.0.0) Platforms:Windows Bug: directory traversal Exploitation: remote Date: 29 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From the manual: "2X ThinClientServer allows you to deploy a thin client OS to low-cost thin client devices and existing PCs, and centrally manage settings and configure to which terminal servers (Windows or Linux) a user should log on to." ### == 2) Bug == The 2X TFTP Service enabled by default in ThinClientServer is affected by a directory traversal vulnerability exploitable through the usage of a sequence of 3 dots (instead of the classical two) for reaching the various parent directories. ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx SERVER .../.../.../.../.../.../boot.ini none tftpx SERVER ...\...\...\...\...\...\windows\win.ini none ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in solidDB 06.00.1018
### Luigi Auriemma Application: IBM solidDB http://www.solidtech.com/en/products/relationaldatabasemanagementsoftware/embed.asp Versions: <= 06.00.1018 Platforms:Windows (tested), Solaris, AIX, HP-UX and Linux Bugs: A] format string in logging function B] crash caused by arbitrary array index C] NULL pointer D] server termination through allocation error Exploitation: remote Date: 26 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "solidDB 6 is a relational database designed for fast, always-on access to data under high throughput conditions, to satisfy the real-time demands of communications platforms and applications. It includes both in-memory and on-disk engines, accessed by a single SQL interface." This engine, originally developed by solid and now maintained by IBM, is also used in the products of various vendors. ### === 2) Bugs === A] format string in logging function The logging function used for keeping tracks of the various errors and operations (like wrong logins) is affected by a format string vulnerability exploitable for example using a malformed user or peer name. B] crash caused by arbitrary array index A 32 bit number provided by the client is used on the server as an index for reading some values in an array, a too big number can be used to crash the server due to the access to invalid memory. --- C] NULL pointer --- A NULL pointer vulnerability can be exploited through the sending of a specific type of packet. -- D] server termination through allocation error -- A malformed packet can be used to terminate the server with the error message "Out of central memory" caused by the impossibility of allocating a certain amount of memory. ### === 3) The Code === http://aluigi.org/poc/soliduro.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in ASUS Remote Console 2.0.0.24
### Luigi Auriemma Application: ASUS Remote Console http://www.asus.com/999/html/share/9/icon/9/index.htm#asmb3 Versions: <= 2.0.0.24 Platforms:Windows Bug: buffer overflow Exploitation: remote Date: 21 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From the manual: "The ASUS Remote Console (ARC) is an efficient and flexible application that allows monitoring and control of the remote host." The main component of this service is a telnet server listening on port 623 which is called DpcProxy and provides an IPMI interface. ### == 2) Bug == The DPC Proxy is affected by a buffer-overflow vulnerability located in the function which gets the data received from the client, stores them in a stack buffer of about 1024 bytes and checks the presence of an end of line delimiter (carriage return). ### === 3) The Code === http://aluigi.org/poc/asuxdpc.txt nc SERVER 623 -v -v -w 2 < asuxdpc.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple heap overflows in xine-lib 1.1.11
###
Luigi Auriemma
Application: xine-lib
http://xinehq.de
Versions: <= 1.1.11
Platforms:Linux, *BSD, Solaris, Irix, MacOSX, Windows and others
Bugs: A] heap-overflow in demux_flv
B] heap-overflow in demux_qt
C] heap-overflow in demux_real
D] heap-overflow in demux_wc3movie
E] heap-overflow in ebml
F] heap-overflow in demux_film
Exploitation: local
Date: 20 Mar 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
>From developers website:
"xine is a free (gpl-licensed) high-performance, portable and reusable
multimedia playback engine. xine itself is a shared library with an
easy to use, yet powerful API which is used by many applications for
smooth video playback and video processing purposes."
The library and parts of its source code are widely used in many open
source players and projects.
###
===
2) Bugs
===
xine-lib is affected by various heap overflow vulnerabilities caused by
the wrong 32 bit calculation of the amount of memory to allocate for
some destination buffers and arrays.
These bugs allow an attacker to control some registers or directly the
code flow (like with demux_qt) which could leat to the execution of
malicious code.
For brevity will be showed directly the instructions in the source code
which do these bad allocations.
-
A] heap-overflow in demux_flv
-
>From src/demuxers/demux_flv.c:
static int parse_flv_var(demux_flv_t *this,
unsigned char *buf, int size, char *key, int keylen) {
...
this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));
...
this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));
B] heap-overflow in demux_qt
Practically almost any allocation instruction in
src/demuxers/demux_qt.c is vulnerable to various types of heap
overflows.
--
C] heap-overflow in demux_real
--
>From src/demuxers/demux_real.c:
static void real_parse_index(demux_real_t *this) {
...
*index = xine_xmalloc(entries * sizeof(real_index_entry_t));
--
D] heap-overflow in demux_wc3movie
--
>From src/demuxers/demux_wc3movie.c:
static int open_mve_file(demux_mve_t *this) {
...
this->palettes = xine_xmalloc(this->number_of_shots * PALETTE_SIZE *
sizeof(palette_entry_t));
Note that the output buffer is filled using a special lookup table.
E] heap-overflow in ebml
>From src/demuxers/ebml.c:
int ebml_check_header(ebml_parser_t *ebml) {
...
char *text = malloc(elem.len + 1);
--
F] heap-overflow in demux_film
--
>From src/demuxers/demux_film.c:
static int open_film_file(demux_film_t *film) {
...
film->sample_table =
xine_xmalloc(film->sample_count * sizeof(film_sample_t));
###
===
3) The Code
===
http://aluigi.org/poc/xinehof.zip
###
==
4) Fix
==
No fix
#######
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Net Inspector 6.5.0.828
### Luigi Auriemma Application: MG-SOFT Net Inspector http://www.mg-soft.com/netinsp.html (bug C affects any MgWTrap3 service which is included in almost all the MG-SOFT products like MIB Browser, Query Manager, Trap Ringer Pro and so on) Versions: Net Inspector <= 6.5.0.828 Platforms:Windows and Linux Bugs: A] format string in mghttpd B] directory traversal in mghttpd C] crash in MgWTrap3 D] Denial of Service in niengine Exploitation: remote Date: 14 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "MG-SOFT Net Inspector is a powerful fault management application with alarming subsystem that complies with the international alarm reporting recommendations (ITU X.733). The software lets you effectively monitor the status of network devices and manage alarms associated with devices in the supervised TCP/IP network." ### === 2) Bugs === --- A] format string in mghttpd --- mghttpd is a simple HTTP daemon running on port 5228 used to allow the clients to download the Net Inspector Java Client. This server is affected by a format string vulnerability located in the function which logs the clients requests in the log file. - B] directory traversal in mghttpd - This service is also affected by a classical directory traversal vulnerability using both the slash and backslash plain delimiters which can be exploited to download files from the disk on which is located the server. C] crash in MgWTrap3 The SNMP Trap Service other than binding the local TCP port and the UDP 162 for collecting SNMP queries, binds also an additional UDP port which changes each time the service is executed (uses the first free available port). Sending a packet (empty or with any desired content since it's not important) directly to this port raises an exception which terminates the service immediately. This service is the core of almost all the MG-SOFT products which so result all vulnerable. D] Denial of Service in niengine The Net Inspector Fault Management server (niengine) can be easily freezed with CPU at 100% and full memory consumption through a malformed or incomplete packet. ### === 3) The Code === A] GET /%n%n%s%s%n%n%n%s HTTP/1.0 B] GET ../../../../boot.ini HTTP/1.0 GET \../..\../..\windows/win.ini HTTP/1.0 C] echo|nc SERVER PORT -v -v -u D] echo -n -e \x2a\x45\x67\xf2\x00\x00\x00\x00|nc SERVER 5221 -v -v -w 1 ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in BootManage TFTPD 1.99
### Luigi Auriemma Application: BootManage TFTPD http://www.bootix.com/products/administrator_en.html Versions: <= 1.99 (BootManage Administrator <= 7.1) Platforms:Windows Bug: buffer-overflow Exploitation: remote Date: 16 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === BootManage TFTPD is a TFTP server for Windows implemented in BootManage Administrator. Although exist TFTP servers for other platforms on the bootix website, only this 32 bit version for Windows is the most updated. ### == 2) Bug == The TFTP server is affected by a buffer-overflow vulnerability exploitable with a filename longer than 32 bytes when used for building the log string: sprintf(buffer, "%s: %s", filename, log_entry) ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx -f SERVER 2000 none ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VLC highlander bug
The old buffer-overflow in the subtitles handled by VLC has not been fully patched in version 0.8.6e, in fact buffer_text2 in ParseSSA is still unchecked: if( sscanf( s, "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]", buffer_text2, The funny thing is that my old proof-of-concept was built just to test this specific buffer-overflow and in fact it works on the new VLC version too without modifications 8-) Instead the SVN version was and is patched from 10 months as I wrote in my old advisory: http://aluigi.org/adv/vlcboffs-adv.txt --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0)
### Luigi Auriemma Application: McAfee Framework (implemented in McAfee ePolicy Orchestrator 4.0 http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html) Versions: <= 3.6.0.569 Platforms:Windows Bug: format string in _naimcomn_Log Exploitation: remote Date: 12 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === McAfee Framework is a framework used for building various services for the McAfee products. These services include HTTP servers and agents implemented, for example, in McAfee ePolicy Orchestrator and possibly other products. ### == 2) Bug == The logDetail function of applib.dll (which is just a link to naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding new log entries and is affected by a format string vulnerability caused by the calling of vsnwprintf without the needed format argument. In McAfee ePolicy Orchestrator this vulnerability can be exploited through the sending of a simple UDP packet with a malformed sender, package or computer field. The output log file Agent_HOSTNAME.log is located in the Db folder. ### === 3) The Code === http://aluigi.org/poc/meccaffi.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5
<[EMAIL PROTECTED]> wrote: > http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=589 "Motorola Inc. has addressed this vulnerability by releasing version 8.6.5 of Timbuktu Pro for Windows. For more information, consult the release notes at the following URL." I have tested version 8.6.5 [RC 229] which, from what is written in that advisory, should be safe but it isn't. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Denial of Service in PacketTrap TFTP server 2.0.3901.0
### Luigi Auriemma Application: pt360 Tool Suite PRO http://www.packettrap.com/product/index.aspx Versions: <= 2.0.3901.0 Platforms:Windows Bug: Denial of Service of the TFTP server Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === pt360 is a suite of network tools. ### == 2) Bug == The TFTP server implemented in the pt360 suite can be easily interrupted through the uploading of files with invalid names, in this case is raised an exception which blocks the TFTP component and forces the user to restart the whole application for re-running it. ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx -u SERVER "\|" none tftpx -u SERVER "\"" none tftpx -u SERVER "<>" none tftpx -u -f SERVER 200 none ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5
### Luigi Auriemma Application: Timbuktu Pro Remote Control Software http://www.netopia.com/software/products/tb2/ Versions: <= 8.6.5 [RC 229] Platforms:Windows Mac OS X has not been tested Bugs: A] Denial of Service B] limited upload directory traversal Exploitation: remote Date: 10 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Timbuktu is a software for controlling the computer remotely. ### === 2) Bugs === A] Denial of Service The instructions which handle the incoming instant messages are vulnerable to a couple of Denial of Service attacks. The first one consists in the possibility of crashing the program through an invalid Version field while the other type of bug is the freezing and the subsequent termination of Timbuktu using an invalid or incomplete message. - B] limited upload directory traversal - Each message or attachment is considered by Timbuktu as a file which is stored in temporary folders in the program's directory. Although the program uses various ways to avoid possible directory traversal attacks is still possible for an attacker to upload files with any filename in any location of the disk on which Timbuktu is running. The only limitation in this vulnerability is that Timbuktu changes the name of the file if one with the same name already exists so for example if we specify notepad.exe but it already exists, the program will create the file notepad2.exe. Currently I have found no ways to bypass this limitation. ### === 3) The Code === http://aluigi.org/poc/timbuto.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in Remotely Anywhere 8.0.668
### Luigi Auriemma Application: Remotely Anywhere Server and Workstation http://www.remotelyanywhere.com Versions: <= 8.0.668 Platforms:Windows Bug: NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Remotely Anywhere is a well known remote administration software. ### == 2) Bug == The RemotelyAnywhere.exe process (port 2000) can be easily crashed through a HTTP request with an invalid Accept-Charset parameter which leads to a NULL pointer. The process will be restarted automatically within less than one minute by the management service so an attacker needs to send the malformed request at regular intervals for keeping the server down as much as he desires. ### === 3) The Code === http://aluigi.org/poc/remotelynowhere.txt stunnel http_to_https.conf nc 127.0.0.1 80 -v -v < remotelynowhere.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Invalid memory access in Acronis True Image Group Server 1.5.19.191
### Luigi Auriemma Application: Acronis True Image Group Server http://www.acronis.com/enterprise/products/ATIES/group-server.html Versions: <= 1.5.19.191 (included in Acronis True Image Enterprise Server 9.5.0.8072 and the other True Image packages) Platforms:Windows Bug: invalid memory access Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Acronis Group Server is a component of Acronis True Image Echo Server (Workstation and Enterprise packages) which "allows the viewing and managing of backup tasks for all systems in the network from the Acronis Management Console". ### == 2) Bug == The packets used by this server contain some 16 bit fields which specify the length of the subsequent data. The problem is that the memory assigned for each packet is about 2048 bytes so the server allocates the amount of memory specified by that 16 bit field and then tries to copy the data from the packet into this new buffer with the subsequent crash of the service due to an invalid read access. ### === 3) The Code === http://aluigi.org/poc/acrogroup.txt nc SERVER 9877 -v -v -u -p 9876 < acrogroup.txt ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in ASG-Sentry 7.0.0
### Luigi Auriemma Application: ASG-Sentry http://www.asg-sentry.com Versions: <= 7.0.0 Platforms:Windows and Unix Bugs: A] arbitrary files deleting B] heap-overflow in FxAgent C] termination of FxIAList D] buffer-overflow in FxIAList Exploitation: remote Date: 10 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "The ASG-Sentry family of products is a suite of tools strategically engineered to control, monitor, manage, and enhance your network. Sentry's tools provide you with full visibility to your network from any Web browser. Sentry also allows you to fully instrument your company's applications, CPUs, disk space, memory, files, Windows and UNIX platforms, and more." ### === 2) Bugs === --- A] arbitrary files deleting --- The fcheck.exe (File Check Utility) CGI available in ASG is used for handling some index files which contain a list of filenames and checksums. The -b option of this utility allows the creation of these index files and is possible to specify both the name of the output file and, optionally, the folder which will be scanned recursively for finding and reading the various files to add to the list. The first vulnerability is in the possibility for an external attacker to use this CGI for overwriting existent files with no data (specifying a new folder which will be created by the same program) or with the list of filenames described before. Naturally is possible to specify both files on the local disks or on network shares. The second effect instead is the possibility of occupying CPU and disk for the scanning of any file in the disk simply specyfing, for example, c:\ as folder. --- B] heap-overflow in FxAgent --- The FxAgent process running on UDP port 6161 is used for handling the various SNMP requests. A community field longer than 64 bytes can be used by an attacker to exploit a heap-overflow. -- C] termination of FxIAList -- FxIAList is a service which runs on the TCP port 6162 and is used for the logging operations which include the commands "exit", "trace on" "verbose", "trace off" and the name of the log file to create (.xx.xx) and its content. The main problem is that the server doesn't require authentication so anyone can send the "exit" command and the service will just terminate. -- D] buffer-overflow in FxIAList -- The same service described before is affected also by a stack based buffer-overflow which happens during the copying of the data we want to write to the log file (max 1023 bytes) in a buffer of only 500. ### === 3) The Code === http://aluigi.org/poc/asgulo.zip A] http://SERVER:6161/snmx-cgi/fcheck.exe?-b+..\../..\boot.ini http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\windows\win.ini http://SERVER:6161/snmx-cgi/fcheck.exe?-b+c:\file.txt+c:\ http://SERVER:6161/snmx-cgi/fcheck.exe?-b+\host\document.txt this link for the network share is correct because Apache converts any backslash to double so that one becomes \\host\\document.txt B] nc SERVER 6161 -v -v -u < asgulo_fxagent.txt C] nc SERVER 6162 -v -v -w 1 < asgulo-ialist1.txt D] nc SERVER 6162 -v -v -w 1 < asgulo-ialist2.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076
### Luigi Auriemma Application: Acronis PXE Server http://www.acronis.com/enterprise/products/snapdeploy/ Versions: <= 2.0.0.1076 Platforms:Windows Bugs: A] directory traversal B] NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === The Acronis PXE Server is an essential component of Acronis Snap Deploy Server, a deployment solution for automatically configuring all the clients of the local network. ### === 2) Bugs === -- A] directory traversal -- The PXE Server (pxesrv.exe) implements a TFTP server for allowing the downloading of the bootstrap files (uploading is not allowed). This service is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares. --- B] NULL pointer --- An incomplete TFTP request (anything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access. ### === 3) The Code === A] http://aluigi.org/testz/tftpx.zip tftpx SERVER ..\../..\../boot.ini none tftpx SERVER c:\boot.ini none tftpx SERVER \\internal_host\documents\file.txt none B] send the bytes 00 01 to UDP port 69 of the server: echo -n -e \x00\x01|nc SERVER 69 -v -v -u ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer in Acronis True Image Windows Agent 1.0.0.54
### Luigi Auriemma Application: Acronis True Image Windows Agent http://www.acronis.com/enterprise/products/ATIES/windows-agent.html Versions: <= 1.0.0.54 (included in Acronis True Image Enterprise Server 9.5.0.8072 and the other True Image packages) Platforms:Windows Linux is not affected Bug: NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Acronis Agent is an essential component of Acronis True Image Echo Server (Workstation and Enterprise packages) and is a server running on the TCP and UDP port 9876 which allows the local and remote management of Acronis TrueImage. The Acronis True Image Windows Agent must be not confused with the Acronis Snap Deploy Management Agent which uses the same ports but a different protocol and so it's not affected by this bug. ### == 2) Bug == A NULL pointer vulnerability can be exploited through the sending of a malformed packet to the server causing its immediate termination. ### === 3) The Code === http://aluigi.org/poc/acroagent.txt nc SERVER 9876 -v -v < acroagent.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal in Argon Client Management Services 1.31
### Luigi Auriemma Application: Argon Client Management Services http://www.argontechnology.com/product.aspx/cid1/43 Versions: <= 1.31 (TFTP Boot Server <= 2.5.3.1) Platforms:Windows Bug: directory traversal in TFTP Boot Server Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "Client Management Services® (CMS) includes all the server-based services (PXE Server, BOOTP Server) and administration tools needed to setup an open network boot environment. You can deploy your favorite third party client management tools in a pre-OS booting phase." ### == 2) Bug == The TFTP Boot Server is affected by a classical directory traversal vulnerability which allows an attacker to download (upload is not allowed) any file from the disk where is located the tftp folder. ### === 3) The Code === http://aluigi.org/testz/tftpx.zip tftpx SERVER ../../windows/win.ini none tftpx SERVER ..\boot.ini none ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in MailEnable Professional/Enterprise 3.13
### Luigi Auriemma Application: MailEnable Professional and Enterprise http://www.mailenable.com Versions: <= 3.13 Platforms:Windows Bugs: A] multiple post-auth buffer-overflows B] NULL pointers Exploitation: remote, versus the IMAP service Date: 07 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === MailEnable is a mail server for Windows which supports various protocols like SMTP, POP3, IMAP, webmail and a HTTPMail service. ### === 2) Bugs === -- A] multiple post-auth buffer-overflows -- The IMAP service (MEIMAPS.exe) of MailEnable is affected by some buffer-overflow vulnerabilities caused by too long parameters passed to the FETCH, EXAMINE and UNSUBSCRIBE commands allowing an attacker to execute malicious code. All the vulnerable commands require an account to be exploited. B] NULL pointers The IMAP service is affected also by two NULL pointer vulnerabilities exploitable through the omission of the required arguments for the SEARCH and APPEND commands, where the first can be used by unauthenticated attackers too. ### === 3) The Code === http://aluigi.org/poc/maildisable.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal in MicroWorld eScan Server 9.0.742.98
### Luigi Auriemma Application: MicroWorld eScan Server (aka eScan Management Console) http://www.mwti.net Versions: <= 9.0.742.98 Platforms:Windows Bug: directory traversal Exploitation: remote Date: 06 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "The Powerful Management Console of eScan provides options for system administrators to remotely administer a vast network of clients. It also allows them to remotely install eScan, deploy upgrades and updates and enforce an Integrated Security Policy for the entire Enterprise." ### == 2) Bug == The eScan Server (eserv.exe) listens on port 2021 for FTP connections using c:\pub as root path. Although the server tries to avoid possible directory traversal attacks for example rejecting the dotdot patterns, is still possible for an attacker to download any file from the disk of the remote system simply applying a slash or a backslash at the beginning of the filename for selecting the root path of the disk. For example /boot.ini, \windows\win.ini and so on. Only downloading files is allowed by the server, so deleting or uploading custom files is not possible. ### === 3) The Code === ftp://SERVER:2021//windows/win.ini or manually: ftp -A open SERVER 2021 get /windows/win.ini local_win.ini ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Perforce Server 2007.3/143793
### Luigi Auriemma Application: Perforce Server http://www.perforce.com Versions: <= 2007.3/143793 Platforms:Windows, Unix, Linux and Mac Bugs: NULL pointers, invalid memory access and endless loop Exploitation: remote Date: 05 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "Perforce SCM (Software Configuration Management) versions and manages source code and digital assets for enterprises large and small." ### === 2) Bugs === The Perforce server is affected by multiple vulnerabilities which allow any unauthenticated attacker to crash the server or consuming all its resources. The first type of vulnerabilities includes the NULL pointers generated by the absence of some parameters in the client's request and the lack of checks on the pointers returned by the functions which get these values from the packets. The commands affected by these NULL pointer vulnerabilities are the following: dm-FaultFile, dm-LazyCheck, dm-ResolvedFile, dm-OpenFile, crypto and possibly others. A secondary type of vulnerabilities is exploitable through the server-DiffFile and server-ReleaseFile commands, in this case the problem is caused by the 32 bit number provided by the client which is used as amount of elements in the initialization of an array. Another problem is then exploitable again with a malformed server-DiffFile command and allows to force the server in an endless loop which will cause its termination after having consumed all the memory and the resources of the system. ### === 3) The Code === http://aluigi.org/poc/perforces.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Arbitrary commands execution in Versant Object Database 7.0.1.3
### Luigi Auriemma Application: Versant Object Database http://www.versant.com/en_US/products/objectdatabase Versions: <= 7.0.1.3 Platforms:Windows, Solaris, HP-UX, AIX, Linux Bug: arbitrary commands execution Exploitation: remote Date: 04 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "The Versant Object Database is the market leader in object databases. Using Versant Object Database for data storage brings powerful advantages to applications that use complex C++ and Java object models, have high concurrency requirements, and large data sets. The Versant Object Database is designed to handle the navigational access, seamless data distribution, and enterprise scale often required by these applications." The Versand server is used also in other stand-alone products like, for example, Borland CaliberRM which naturally are vulnerables too. ### == 2) Bug == VersantD is the service used for managing the Versant database and by default listens on port 5019 with the subsequent assigning of a new port after a client connects to it, so the client connects to port 5019 where is handled by the ss.exe process and after the initial exchange of data the connection continues on the new port. The first incredible thing which happens when a client connects is that the full paths which will be used by the server to launch the needed programs or locate the database files are passed directly by the same client. That means for example that if a client passes c:\folder in the VERSANT_ROOT field, the server will run (in case the "-utility" command is used) "c:\folder\bin\obe.exe -version 7.0.1 -dbtype + -nettype 2 -arch 11 -utility -soc 220 o_oscp" through the vs_prgExecAsync function. Then using a custom command value (at the place of the "-utility" showed before) beginning with the "..\" pattern for removing the "\bin\" folder added by the server forces it to execute not only a custom executable decided by the attacker but also any additional argument too. Naturally is also possible to execute remote commands not available on the server through, for example, the Windows shares simply using \\myhost\myfolder as path. So, resuming, through the Versant server an attacker can execute any local or remote custom command. The following is the full command-line executed through a custom command value (in my proof-of-concept there is the explanation of all the fields) with the parameters supplied by the client in upper case: "VERSANT_ROOT\bin\OUR_COMMAND OUR_ARGUMENTS -noprint -username VERSANT_USER -release VERSANT_REL -rootpath VERSANT_ROOT -dbpath VERSANT_DB -dbidpath VERSANT_DBID -dbidnode VERSANT_DBID_NODE DATABASE_NAME -posterrstk" It's enough to use a line-feed at the end of our arguments for dropping all the useless stuff which starts from "-noprint". Note: all the tests have been performed on the Windows version of the server so the exploitation could differ a bit on the other supported platforms. ### === 3) The Code === http://aluigi.org/poc/versantcmd.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple integer overflows in Borland StarTeam server 10.0.0.57
### Luigi Auriemma Application: Borland StarTeam server 2008 http://www.borland.com/starteam/ Versions: <= 10.0.0.57 Platforms:Windows Bugs: multiple integer overflows Exploitation: remote Date: 02 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "Borland® StarTeam® is a fully integrated, cost-effective software change and configuration management tool, designed for both centralized and geographically distributed software development environments." ### === 2) Bugs === The server is affected by multiple integer overflow vulnerabilities caused by the calculation of the amount of memory it needs to allocate for some arrays received from the clients. The main ways I have found for exploiting these vulnerabilities are through the PROJECT_LOGIN and SET_SERVER_ACL commands where the 32 bit number received from the client which specifies the amount of entries in the packet is multiplicated respectively for 8 (or 4 depending by the folder names or specifications) and 12, the result is then used for allocating the memory without considering the 32 bit limit. The effect of this operation is a heap overflow which allows an attacker to control some registers and could exist a possibility of executing malicious code. For both the ways is necessary to have a valid account, privileges are not necessary so the less privileged one is good too. ### === 3) The Code === http://aluigi.org/poc/starteamz.zip ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in Borland VisiBroker Smart Agent 08.00.00.C1.03
### Luigi Auriemma Application: Borland VisiBroker Smart Agent http://www.borland.com/visibroker/ Versions: <= 08.00.00.C1.03 Platforms:Windows Bug: heap overflow Exploitation: remote Date: 03 Mar 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From vendor's website: "Borland® VisiBroker® is the most widely deployed CORBA ORB infrastructure product on the market, with more than 30 million licenses in use. Its robust CORBA-based environment makes it ideal for developing and deploying distributed computing applications." Smart Agent (osagent.exe) is a program which provides ORB object location and failure detection services, it's an essential component for allowing remote and local administrators (Borland VisiBroker Console) to manage and locate the servers in the domain. ### == 2) Bug == Smart Agent binds the UDP port 14000 and an UDP and TCP port which changes at every launch (the first free ports to bind found by the program). The protocol used on these three ports (so all exploitables) includes the handling of strings that are composed by a 32 bit number which tells how much long is the string and a subsequent 32 bit number which specifies the size in the packet padded to 8. It's enough to set 0x as first number to cause the allocation of 0 bytes of memory (0x + 1) and the subsequent usage of strncpy(allocated_memory, our_string, our_padded_size) which can allow an attacker to crash the service or possibly executing malicious code. Exists also a secondary minor vulnerability, in fact the server is automatically terminated if the amount of memory specified by the client can't be allocated. ### === 3) The Code === http://aluigi.org/poc/visibroken.zip ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in the passwords handling of Trend Micro OfficeScan 8.0 and possibly other products
### Luigi Auriemma Application: Trend Micro OfficeScan Corporate Edition http://us.trendmicro.com/us/products/enterprise/officescan-client-server-edition/ other Trend Micro products could be affected by this vulnerability since it's located in a function used to decrypt a specific type of passwords used by this vendor Versions: <= v8.0 Patch 2 - build 1189 <= v7.3 Patch 3 - build 1314 Platforms:Windows Bugs: A] buffer-overflow in the decryption function of the passwords B] endless dead processes Exploitation: remote (no tests have been performed to check for a possible local exploiting of the vulnerability on the clients machines for killing the antivirus or the monitor processes or escalating privileges) Date: 27 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === OfficeScan is an anti-virus client and server developed by Trend Micro. The server is mainly a set of CGIs, ActiveX and web pages which run on a pre-existent web server or on the included Apache installation. As already written in the header of this advisory the vulnerability could affect other products too. ### === 2) Bugs === -- A] buffer-overflow in the decryption function of the passwords -- The first time I saw the so called OfficeScan's passwords was almost two years ago and in short they are just MD5 hashes of the original password plus an additional encryption, but I was never interested to go deeper in the matter and I don't know if something has been changed from that time. I wrote something incomplete about them a lot of time ago in case someone is curious or want to add something: http://aluigi.org/pwdrec/officescan_pwdmd5.txt The function for decrypting these data is ever the same one used in "any" program that needs to handle this type of passwords, so the CGIs which read the password of the admin/user who wants to log in the web management (for example cgiChkMasterPwd.exe), the PolicyServer (policyserver.exe which receives the client's password from the cgiABLogon.exe CGI) and naturally the same server and all the clients. In short the function verifies that the input password starts with the !CRYPT! string and then copies the subsequent data in a stack buffer of 512 bytes without verifying its correct length with the obvious result of a buffer-overflow. Not all the versions of OfficeScan can be exploited for executing malicious code (7.3 is fully exploitable) because on some of them (like the latest 8.0) the exception handler terminates the process if notices a stack corruption and so in these cases the only effect can be a Denial of Service (like what happens with the PolicyServer where current and new users can no longer use the service, in fact although exists the auto-restarting function it will not work until the dead process is not killed or the error message acknowledged) or just a dead process which will not affect the correct usage of the services. - B] endless dead processes - The following vulnerability is reported here only for thoroughness and is very simple: a couple of NULL pointer vulnerabilities in the CGI executables used by the server can be exploited to create endless dead processes on the server causing a possible Denial of Service after many of them. These NULL pointers are caused by two factors: the lack of the Content-Length field in the HTTP request and the usage of invalid sequences of chars in the CGIs parameters (both of them have been tested on the included Apache server). ### === 3) The Code === http://aluigi.org/poc/officescaz.zip nc SERVER 8080 -v -v < officescaz1.txt nc SERVER 8080 -v -v < officescaz2.txt nc SERVER 8080 -v -v < officescaz3.txt nc SERVER 8080 -v -v < officescaz4.txt ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclos
[Full-disclosure] NULL pointer in SurgeFTP 2.3a2
### Luigi Auriemma Application: SurgeFTP http://www.netwinsite.com/surgeftp/ Versions: <= 2.3a2 Platforms:Windows, Linux and Solaris Bug: NULL pointer access Exploitation: remote Date: 25 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === SurgeFTP is a commercial FTP server which supports also SSL/TLS and has a web interface for remote administration. ### == 2) Bug == When a Content-Length parameter is received from the client, SurgeFTP tries to allocate the amount of memory (max 2147483647 bytes) specified in this field and then copies the data in the resulted new buffer. The problem is in the lack of checks on the result of the allocation which leads to the crash of the entire server during the copying of the data to a NULL pointer if that amount of memory cannot be allocated. ### === 3) The Code === http://aluigi.org/poc/surgeftpizza.txt nc SERVER 7021 -v -v < surgeftpizza.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string and buffer-overflow in SurgeMail 38k4
###
Luigi Auriemma
Application: SurgeMail Mail Server
http://netwinsite.com/surgemail/
Netwin's WebMail
http://netwinsite.com/webmail/
Versions: SurgeMail <= 38k4 and beta 39a
Netwin's WebMail <= 3.1s (only bug A)
Platforms:Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs: A] format string in webmail.exe's page command
B] buffer-overflow in the building of environment strings
Exploitation: remote
Date: 25 Feb 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.
###
===
2) Bugs
===
--
A] format string in webmail.exe's page command
--
The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:
"TPL: Failed to Locate Template
{c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"
Sample URL for exploiting the vulnerability:
http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s
-
B] buffer-overflow in the building of environment strings
-
A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 2 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.
Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.
###
===
3) The Code
===
http://aluigi.org/poc/surgemailz.zip
###
==
4) Fix
==
No fix
#######
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Double-Take 5.0.0.2865
### Luigi Auriemma Application: Double-Take http://www.doubletake.com Versions: <= 5.0.0.2865 (version 4.5.x tested with success too) Platforms:Windows Bugs: A] server termination through "vector too long" exception B] NULL pointer crash C] termination through memory allocation D] informations disclosure E] other exceptions Exploitation: remote Date: 22 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Double-Take is a disaster recovery and backup software distribuited also under other different names depending by the company which distribuites it like for example HP StorageWorks Storage Mirroring (where version 4.5.0.1629 is vulnerable to a pre-auth buffer overflow). ### === 2) Bugs === A] server termination through "vector too long" exception The Double-Take service can be terminated through an exception raised when the size of a "vector" value is bigger than how much supported. Exist different ways for exploiting this vulnerability anyway the main two arbitrary effects are the "vector too long" exception or CPU at 100%. - B] NULL pointer crash - The server can be crashed through malformed packets (like 0x2722 and 0x272a) which cause the access to a NULL pointer. C] termination through memory allocation An error with some packets allows to allocate a partially arbitrary amount of memory with the possibility to crash the process when no additional memory is available. -- D] informations disclosure -- The server sends various types of informations to any unauthenticated user, for example the running operating system and the program's paths with packet 0x2728, the ethernet adapters with packet 0x274e, all the partitions and their types of filesystem with packet 0x2726, the printer driver with 0x274f and the latest log entries using packet 0x2757. --- E] other exceptions --- Exist also additional problems mainly exploitable through packet 0x2719 which cause respectively a "ospace/time/src\date.cpp" exception and the recursive calling of a function which fills the available stack and causes the silent termination of the service. ### === 3) The Code === http://aluigi.org/poc/doubletakedown.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in Sybase MobiLink 10.0.1.3629
### Luigi Auriemma Application: Sybase MobiLink http://www.sybase.com/developer/mobile/sqlanywhere/mobilink Versions: <= 10.0.1.3629 Platforms:Windows and Linux/Unix Bug: heap overflow Exploitation: remote Date: 20 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === MobiLink is a centralized synchronization server for mobile platforms included in the Sybase SQL Anywhere package. ### == 2) Bug == The MobiLink server is affected by a heap overflow which happens during the handling of some strings like username, version and remote ID (all pre-auth) when have a lenght major than 128 bytes. ### === 3) The Code === http://aluigi.org/poc/mobilinkhof.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple buffer-overflow in NowSMS v2007.06.27
### Luigi Auriemma Application: Now SMS/MMS Gateway http://www.nowsms.com Versions: <= v2007.06.27 Platforms:Windows Bugs: A] web authorization buffer-overflow B] SMPP buffer-overflow Exploitation: remote Date: 19 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === NowSMS is a commercial SMS and MMS Content Delivery Solution. ### === 2) Bugs === A] web authorization buffer-overflow The web interface of NowSMS which listens on port 8800 allows the users to use the gateway for sending various types of messages (EMS, binary, WAP, MMS and so on). The function which handles the base64 password located in the HTTP Authorization parameter is affected by a stack based buffer-overflow exploitable with more than 256 bytes. The server can be exploited both in case it requires and doesn't require authentication. --- B] SMPP buffer-overflow --- NowSMS uses a stack buffer of 4 kilobytes for containing the incoming SMPP packets. The lack of checks on the real size of these packets (max 0x bytes) leads to a buffer-overflow vulnerability which can be exploited by an attacker to execute malicious code remotely. The SMPP server is not enabled by default and doesn't have a default listening port (the admin must decide it). ### === 3) The Code === http://aluigi.org/poc/nowsmsz.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Access violation and limited informations disclosure in webcamXP 3.72.440.0
### Luigi Auriemma Application: webcamXP http://www.webcamxp.com Versions: <= 3.72.440.0 <= beta 4.05.280 Platforms:Windows Bug: access violation with limited informations disclosure Exploitation: remote Date: 18 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === webcamXP is a commercial webcam software with an integrated webserver for sharing the own videos. ### == 2) Bug == The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam. The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request. For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number. The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F. ### === 3) The Code === http://SERVER:8080/pocketpc?camnum=99&mode=0 http://SERVER:8080/pocketpc?camnum=-99&mode=0 http://SERVER:8080/show_gallery_pic?id=99 ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two heap overflow in Foxit WAC Server 2.0 Build 3503
### Luigi Auriemma Application: Foxit Remote Access Server (WAC Server) http://www.foxitsoft.com/wac/server_intro.php Versions: <= 2.0 Build 3503 Platforms:Windows Bugs: A] telnet option heap overflow B] SSH packet heap overflow Exploitation: remote Date: 16 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === WAC is a commercial SSH/telnet server for Windows. ### === 2) Bugs === -- A] telnet option heap overflow -- The WAC server is vulnerable to a heap overflow exploitable through the usage of options longer than 260 bytes. Note: this bug was wrongly reported by me as a crash and with a wrong server version one month ago. --- B] SSH packet heap overflow --- The server is affected also by another heap overflow exploitable through big SSH packets, anyway no deeper research has been performed on this vulnerability. ### === 3) The Code === http://aluigi.org/poc/wachof.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer crash in freeSSHd 1.20
### Luigi Auriemma Application: freeSSHd http://www.freesshd.com Note: is possible that the problem affects also wodSSHServer anyway this has not been tested Versions: <= 1.2.0 Platforms:Windows Bug: NULL pointer crash Exploitation: remote Date: 17 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === freeSSHd is a free SSH server for Windows. ### == 2) Bug == The server can be crashed through a NULL pointer access simply sending a SSH2_MSG_NEWKEYS packet as first command. ### === 3) The Code === http://aluigi.org/poc/freesshdnull.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0
[EMAIL PROTECTED] wrote: > http://www.safenet-inc.com/support/tech/sentinel.asp# Yes I got the files from there. You can see the changing of the version from the Version tab in the properties of the executables. The version change from 7.4.0.0 for Protection and 1.0.3.0 for the Keys server to 7.4.1.0 and 1.0.4.0. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal and DoS in WinIPDS G52-33-021
### Luigi Auriemma Application: Intermate WinIPDS http://www.intermate.com/ipdssoftware Versions: <= Release 3.3 Revision G52-33-021 Platforms:Windows Bugs: A] directory traversal in web administration B] Denial of Service versus the IPDS port Exploitation: remote Date: 12 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === WinIPDS is a commercial AFP (Advanced function printing) and IPDS (Intelligent Printer Data Stream) print server for Windows. ### === 2) Bugs === A] directory traversal in web administration WinIPDS includes a web server for the remote administration of the service. This web interface is vulnerable to a classical directory traversal attack exploitable with both the plain slash and backslash delimiters allowing an attacker to download any file from the disk on which is installed the program. - B] Denial of Service versus the IPDS port - 5001 is the port used by the IPDS service for the remote printing of the files. The problem here is that packets smaller than the size they should have cause CPU at 100% and the inability to handle the printing commands of the users. The packet's types which cause this effect are 3, 5, 7, 13, 14 and 15. ### === 3) The Code === A] GET /../../../../../boot.ini HTTP/1.0 or POST /..\../..\../..\boot.ini HTTP/1.0 B] http://aluigi.org/poc/winipds.txt nc SERVER 5001 -v -v -w 3 < winipds.txt ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unicode buffer-overflow in RPM Remote Print Manager 4.5.1.11
### Luigi Auriemma Application: RPM Remote Print Manager http://lpd.brooksnet.com Versions: <= 4.5.1.11 (tested both the Elite and Select versions) the beta version 5.0.38.0 does NOT seem vulnerable Platforms:Windows Bug: unicode buffer-overflow Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Remote Print Manager (RPM) is a commercial LPD server for Windows. ### == 2) Bug == RPM is affected by an unicode buffer-overflow during the handling of the "data file" name used for the creation of the temporary file to print. ### === 3) The Code === http://aluigi.org/poc/rpmlpdbof.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0
[EMAIL PROTECTED] wrote: > Interresting, how are you running the Get command? Is safenet > installed on a workstation or server? Here I have Windows XP Pro SP2. All the tests have been made using the raw GET request as I reported in my advisory using netcat because the browsers usually modify the delimiters or just the entire URI, for example IE converts backslashes in slashes while Firefox drops ../ and converts \ in %5c. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0
[EMAIL PROTECTED] wrote: > Hello everyone, was the server rebooted after the patch was installed? Naturally, in fact before the patch I was able to exploit the directory traversal with both slash and backslash while after having applied the fix only when I use the backslash. I have also uninstalled, redownloaded and reinstalled both the program and the patch just in this moment and I can confirm the exact behaviour described above. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0
### Luigi Auriemma Application: SafeNet Sentinel Protection Server SafeNet Sentinel Keys Server http://www.safenet-inc.com Versions: <= 7.4.1.0 (aka SPI740SecurityPatch) Platforms:Windows Bug: directory traversal Exploitation: remote Date: 10 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Sentinel Protection and Key Server are two simple webservers for the monitoring of the licenses and listen respectively on ports 6002 and 7002. ### == 2) Bug == Both the webservers are affected by a directory traversal vulnerability exploitable using the backslash delimiter (the servers don't support hex chars) allowing an attacker to download any file in the disk on which the services are installed. It's funny to note that the security patch available from November 2007 was released just to fix a directory traversal vulnerability but they dropped only the slash delimiter leaving the backslash working. ### === 3) The Code === GET /..\..\..\..\..\..\..\boot.ini HTTP/1.0 ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105
### Luigi Auriemma Application: Larson Software Technology Network Print Server http://www.cgmlarson.com/products/NetworkPrintServer.php Versions: <= 9.4.2 build 105 Platforms:Windows Bugs: A] format string in logging B] license buffer-overflow Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === LstNPS is a CGM print server for Windows. ### === 2) Bugs === --- A] format string in logging --- The server is affected by a format string vulnerability located in the logging functions (by default enabled and set on "Information") which passes the log message directly to vsnprintf without the format argument. -- B] license buffer-overflow -- The LICENSE command handled by the server leads to a buffer-overflow vulnerability when a license string longer than 128 bytes is copied in a stack buffer using strncpy in the wrong way. ### === 3) The Code === A] echo USEP %n%n%n%s%s%s|nc SERVER 3114 -v -v B] echo LICENSE a...160...a|nc SERVER 3114 -v -v ### == 4) Fix == No Fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x
### Luigi Auriemma Applications: Opium OPI Server http://www.cyansoftware.com/Opium_OPI.htm cyanPrintIP Easy OPI http://www.cyansoftware.com/cyanPrintIP_Easy_OPI.htm cyanPrintIP http://www.cyansoftware.com/cyanPrintIP.htm Versions: Opium OPI Server <= 4.10.1028 cyanPrintIP Easy OPI <= 4.10.1030 cyanPrintIP Professional <= 4.10.1030 cyanPrintIP Workstation <= 4.10.836 cyanPrintIP Standard <= 4.10.940 cyanPrintIP Basic <= 4.10.1030 Platforms:Windows Bugs: A] format string in ReportSysLogEvent B] service crash through "Send queue state" commands Exploitation: remote Date: 11 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Opium and cyanPrintIP are a family of LPD products for the network sharing of printers. ### === 2) Bugs === - A] format string in ReportSysLogEvent - The LPD servers are affected by a format string vulnerability in the ReportSysLogEvent function used for logging. The best way for exploiting this vulnerability is through a malformed queue name which will be used to build a "Print queue" error message directly passed to vsprintf without the needed format argument. After the exploitation will be created a dump and the server will be automatically restarted by the Restart process. B] service crash through "Send queue state" commands The servers are not able to handle the two "Send queue state" LPD commands (3 and 4) when received at the beginning of the connection, so when not expected by it. The result is the immediate crash/termination of the server which will be not restarted automatically. ### === 3) The Code === http://aluigi.org/poc/cyanuro.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in EztremeZ-IP File and Printer Server 5.1.2x15
### Luigi Auriemma Application: EztremeZ-IP File and Printer Server http://www.grouplogic.com/products/extreme/overview.cfm Versions: <= 5.1.2x15 Platforms:Windows Bugs: A] crash through the SLP service B] crash through the AFP service C] limited directory traversal in Zidget/HTTP Exploitation: remote Date: 10 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === EztremeZ-IP is a server for Windows which supports both the Apple Filing Protocol and Line Printer Daemon for the sharing of files and printers. ### === 2) Bugs === A] crash through the SLP service EztremeZ-IP runs by default with a SLP (Service Location Protocol) daemon enabled. The service is affected by a problem during the handling of the number of available URLs, in fact there are no instructions which check if the incoming packet can really contain the number of URLs specified in it. The resulting effect is the crash of the entire server when a big amount of URLs is used due to the read access to the unallocated memory after the packet. B] crash through the AFP service The UAM field in the AFP protocol is used for choosing a guest access to the remote devices or a specific type of encrypted/hashed password for the authentication. An invalid UAM will cause the crash of the server since it doesn't check if the type of authentication specified by the client is available or not. - C] limited directory traversal in Zidget/HTTP - By default is enabled also a small webserver which runs on port 8081 and gives access to the Zidget widget and the master list. This service is affected by a directory traversal vulnerability which allows an attacker to download any file in the disk which has one of the following extensions: gif, png, jpg, xml, ico, zip and html. There are no other ways for bypassing the extension's limitation, anyway the XML files are often used as format for the configuration files of various programs. The directory traversal can be exploited only with the plain backslash char, hex chars are not supported by the server. ### === 3) The Code === http://aluigi.org/poc/ezipirla.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL byte writing in Emerald, RadiusNT/X and Air Marshal
### Luigi Auriemma Application: Configuration web server integrated in Emerald, RadiusNT/X and Air Marshal http://www.iea-software.com Versions: Emerald <= 5.0.49 RadiusNT and RadiusX <= 5.1.38 Radius test client <= 4.0.20 Air Marshal version <= 2.0.4 Platforms:Windows, FreeBSD, Linux and Solaris Bug: writing of a NULL byte in the memory Exploitation: remote Date: 08 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === All the products developed by IEA Software use some web servers for the remote administration of the services. The following are the programs which run this web interface and the ports on which they listen: - emerwebsrv, 80 and 443 - portald, 81 - schedule, 8010 - radadmn, 8011 - emerdap, 8012 - syslogd, 8013 - eaadmn, 8014 - emernet, 8018 - radlogin, 8020 - possibly others ### == 2) Bug == For each HTTP POST request the configuration web server starts the receiving of the client's data using a heap buffer which automatically increases its size through realloc. When the data received is major than the integer value specified in Content-Length it stops the operation and places a NULL byte at the end of the data for delimiting it. The problem is that using a negative Content-Length value forces the server to place this 0x00 byte in a location of the memory which goes from heap_buffer+http_header+0x8000 to heap_buffer+http_header+0x allowing an attacker to crash the server or placing this byte in a better location which could give him other possibilities of attack. ### === 3) The Code === http://aluigi.org/poc/emerdal.txt nc SERVER PORT -v -v < emerdal.txt ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1
###
Luigi Auriemma
Application: Ipswitch Instant Messaging
http://www.ipswitch.com/products/instant_messaging
Versions: <= 2.0.8.1
Platforms:Windows
Bugs: A] pre-auth NULL pointer crash in decryption function
B] format string in logging
C] arbitrary empty files creation
Exploitation: remote
A] versus both server and clients
B] versus server
C] versus server
Date: 07 Feb 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Ipswitch Instant Messaging (IM) is a client/server messaging software.
###
===
2) Bugs
===
-
A] pre-auth NULL pointer crash in decryption function
-
IM uses the 3DES encryption with a fixed key ("ipswitch") for
encrypting the network traffic and the only data which is in clear-text
are the first 8 bytes exchanged at the beginning of each connection
which are the version number of the program.
If an attacker uses a version number equal to zero (no encryption?)
will be able to crash the server due to the access to a NULL pointer
during the decryption of the incoming data.
Note that this bug affects both the server and client application so an
attacker can easily crash all the clients in the LAN sending the
malformed data to the port 5178 of each host since this is the default
port on which they listen.
---
B] format string in logging
---
The logging function used by IM is affected by a format string
vulnerability.
The way I have found for exploiting this vulnerability is through a
message sent to an user who has a malformed client IP string.
So is possible to do this using two accounts (in my tests sending a
message to himself doesn't seem to work for this bug) or in many other
ways like sending a message to another user which when will reply will
also exploit the vulnerability.
When the server will try to connect to the IP specified by the target
client it will fail since it's not a valid IP (255.255.255.255
INADDR_NONE) and will create an error message similar to the following
subsequently passed directly to sprintf without the needed format
argument:
"Queueing message for [EMAIL PROTECTED] Unexpected Error = 10049, Failed to
connect to client_IP. on port client_port.."
-
C] arbitrary empty files creation
-
IM creates index files for storing pointers to the entries of its
database in which are stored the messages of the users.
The problem here is that these index files are created in append mode
using the name of the target of the message plus the "@hostname.idx"
suffix (like [EMAIL PROTECTED]) without checking if the file has been
created outside the Logs folder.
Actually the only way I have found for writing files with arbitrary
names is through the char ':' appended at the end of the target
username which allows to drop the additional suffix added by the
program.
Anyway, although interesting, this bug can't be defined a real
vulnerability since it's possible to create new files anywhere in the
disk where is installed IM but is not possible to overwrite or append
garbage data (the index data about I talked before) to the existent
ones.
###
===
3) The Code
===
http://aluigi.org/poc/ipsimene.zip
###
==
4) Fix
==
No fix
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Logs visualization in WS_FTP Server Manager 6.1.0.0
### Luigi Auriemma Application: WS_FTP Server Manager http://www.wsftp.com Versions: WS_FTP Server <= 6.1.0.0 Platforms:Windows Bugs: A] authorization bypassing in log visualization B] ASP source visualization Exploitation: remote Date: 06 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === WS_FTP Server Manager (aka WS_FTP WebService) is the web administration interface of the IpSwitch WS_FTP server and runs by default on port 80. ### === 2) Bugs === --- A] authorization bypassing in log visualization --- The FTPLogServer folder available in the WS_FTP WebService is used for the visualization and the downloading of the log entries collected by the Logger Server used for any logging operation of the IpSwitch servers (like both WS_FTP and the same WebService). Naturally for watching the logs is needed to know the administration username and password but exists a vulnerability which allows anyone to gain access to this function of the server. It's enough to logout from the web server without being logged in and after this operation is possible to use all the asp files located in the FTPLogServer folder through a strange account name called localhostnull. The vulnerability has been confirmed from both LAN and Internet. The authorization bypassing is possible only for the ASP files located in this folder so the management of the FTP server is not touched by the vulnerability. --- B] ASP source visualization --- The following small bug is reported here only for thoroughness and has no impact. By default it canNOT be defined a vulnerability because the webservice, although possible due to its directories structure (in short the WS_FTP stuff is all in the WSFTPSVR folder so the rest of the root path of the web server can be used for anything else), can't be considered a "classical" web server where using custom contents. Anyway if on the web server are in use custom ASP files a person can see their content simply adding a dot at the end of the URL like in the following examples of some pre-existent script files without the need of being logged in: http://SERVER/WSFTPSVR/login.asp. http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp. http://SERVER/WSFTPSVR/FTP/ViewCert.asp. ### === 3) The Code === The following are the URLs to use in sequence for watching the logs: http://SERVER/WSFTPSVR/FTPLogServer/login.asp?action=logLogout http://SERVER/WSFTPSVR/FTPLogServer/LogViewer.asp ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Chat vulnerabilities in TinTin++ 1.97.9
### Luigi Auriemma Application: TinTin++ / WinTin++ http://tintin.sourceforge.net Versions: <= 1.97.9 Platforms:Windows, Linux and Mac Bugs: A] chat buffer-overflow B] chat YES NULL pointer C] chat home folder empty files creation Exploitation: remote Date: 06 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === TinTin++ is a well known MUD client. ### === 2) Bugs === The #chat command available in TinTin++ binds a TCP port (4050 by default) used to receive chat messages and files from the other clients. --- A] chat buffer-overflow --- Exists a buffer-overflow vulnerability in add_line_buffer() where word_wrap() makes the input string double due to conversion of line feeds in CR/LF. The way I have found to exploit this vulnerability is through the chat_printf() function used for building of the "Unterminated command: %d %s" string when the program receives data without a 0xff delimiter. TinTin++ handles the data received through read/recv (max 19000 chars) directly without waiting the entire data block as it was sent, anyway the vulnerability has been successfully tested and confirmed on Internet too. B] chat YES NULL pointer The presence of the line feed char in the "YES:" message is not verified allowing an attacker to crash the TinTin++ program due to the resulted NULL pointer. >From chat.c: int process_chat_input(struct chat_data *buddy) ... sep = strchr(buf, '\n'); *sep++ = 0; ... C] chat home folder empty files creation TinTin++ can receive files from other people in the incoming folder which by default is the home one (~ on Unix and %USERPROFILE% in Windows) but naturally is needed that the user accepts the file for receiving it. The problem is that the file specified by the sender is created before accepting or declining it so is possible for an attacker to overwrite the existent files (subdirectories cannot be specified) with empty ones. For example is possible to clear the configuration files like .bashrc or .inputrc or ntuser.ini and so on. ### === 3) The Code === http://aluigi.org/poc/rintintin.zip ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in SAPlpd 6.28
### Luigi Auriemma Application: SAPlpd http://www.sap.com Versions: <= 6.28 (included in SAP GUI 7.10) Platforms:Windows Bugs: various vulnerabilities Exploitation: remote Date: 04 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === SAPlpd is a small and very old (2001) line printer daemon for Windows which is included in the SAP GUI package. ### === 2) Bugs === The daemon is affected by various vulnerabilities which, for brevity, I have decided to list through the lpd commands (in hex) accepted by the program: commandstype of bug 01 31 memcpy 02 32 memcpy + sprintf "Receive job for printer %s (berkley protocol)\n" 03 04 33 34 sprintf "QUERY = %s\n" + multiple strcpy 05 35 multiple strcpy 53 server termination ### === 3) The Code === http://aluigi.org/poc/saplpdz.zip ### == 4) Fix == Vendor contacted, a patch will be released soon. ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in WinCom LPD Total 3.0.2.623
### Luigi Auriemma Application: WinCom LPD Total - Line Printer Daemon http://clientsoftware.com.au/lpd.html Versions: <= 3.0.2.623 Platforms:Windows Bugs: A] buffer-overflow in control filename B] remote administration bypassing C] integer memcpy crash in remote administration D] buffer-overflow in remote administration Exploitation: remote Date: 04 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === WinCom LPD Total (wincomlpd) is a commercial line printer daemon for Windows. ### === 2) Bugs === -- A] buffer-overflow in control filename -- wincomlpd is affected by a buffer-overflow vulnerability exploitable during the building of an error string caused by the impossibility of creating the file specified by the client. The queues of remote printers are not affected by the problem. -- B] remote administration bypassing -- The administration service which runs on port 13500 is used by the local and remote admins for managing the wincomlpd server. The problem here is very simple: the authentication method used by the program is practically unexistent. In short an attacker can manage the wincomlpd server without knowing the admin username and password but simply skipping the auth stage. This bug can be exploited in at least two ways: writing an alternative client (the protocol is enough simple so it's not a problem) or just modifying the admin client program (LPDAdmin.exe). C] integer memcpy crash in remote administration The 8 and 16 bit values used in the remote administration protocol for specifying respectively the length of the strings (like the printer's name to add) and the size of the data block are signed integers. That allows an attacker to crash the remote wincomlpd service simply using negative values like 0x80 or 0xff for the 8 bits numbers and 0x8000 or 0x for the data block and so on. This bug can be also used for exploiting the subsequent vulnerability. --- D] buffer-overflow in remote administration --- A buffer-overflow is located in the function which copies the data from the values explained before in a stack buffer. Naturally the criticality of the above two vulnerabilities is related to the possibility of bypassing the authentication explained in bug B. ### === 3) The Code === http://aluigi.org/poc/wincomalpd.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Socket termination in FTP Log Server 7.9.14.0
### Luigi Auriemma Application: FTP Log Server http://www.wsftp.com Versions: <= 7.9.14.0 Platforms:Windows Bug: socket termination Exploitation: remote Date: 04 Feb 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === FTP Log Server is a daemon installed and running with Ipswitch WS_FTP which works on the UDP port 5151 and is used for all the logging operations of this FTP server. ### == 2) Bug == Sending more than 20 packets of a size major than 4096 bytes (the maximum size of a packet which can be received by the server) within less than one second between them causes the silent termination of the listening socket (offset 004013FD), so the process of the daemon will continue to be active but it will no longer handle the log commands of the FTP or any other server which supports it. Although the daemon binds all the interfaces (and I doubt an admin leaves the UDP port 5151 accessible from Internet, moreover to avoid custom entries in the XML logs) the main scenario of a possible exploiting of this vulnerability is in a LAN environment for example used for disabling the logging service and starting a brute forcing attack versus the machine on which is running the FTP server and so on. ### === 3) The Code === http://aluigi.org/testz/udpsz.zip udpsz -l 100 SERVER 5151 4097 ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5
Secunia has made additional research on the vulnerability I reported a week ago about the buffer-overflow in uTorrent and has found that remote code execution is possible. That's important moreover because in the moment I'm writing there are still tons of people which use the 1.7.5 or other vulnerables 1.7.x versions of uTorrent. Then some days ago has been released BitTorrent 6.0.1 which fixes the vulnerability in this client too. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5
### Luigi Auriemma Applications: BitTorrent and uTorrent http://www.bittorrent.com http://www.utorrent.com Versions: BitTorrent <= 6.0 (build 5535) uTorrent <= 1.7.5 (build 4602) uTorrent <= 1.8-alpha-7834 Platforms:Windows confirmed Mac and Linux (both available only on BitTorrent) have not been tested Bug: crash caused by unicode static buffer-overflow Exploitation: remote Date: 16 Jan 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === BitTorrent and uTorrent are the most used clients for the bittorrent protocol and are both built over the same code base derived by uTorrent. ### == 2) Bug == By default both the clients have the "Detailed Info" window active with the "General" section visible in it where are reported various informations about the status of the torrent and the trackers in use. In this same window near "General" there is also the "Peers" section which is very useful since it showes many informations about the other connected clients like the percentage of availability of the shared torrent, their IP address, country, speed and amount of downloaded and uploaded data and moreover the version of their client (like "BitTorrent 6.0", "Azureus 3.0.3.4", "uTorrent 1.7.5", "KTorrent 2.2.4" and so on). When this window is visualized by the user the unicode strings with the software versions of the connected clients are copied in the relative static buffers used for the visualization in the GUI through the wcscpy function. If this string is too long a crash will occur immediately or in some cases (like on BitTorrent) could happen later or when the user watches the status of another torrent or leaves the "Peers" window. Code execution is not possible. For exploiting the problem is enough that an external attacker connects to the random port opened on the client and sends the long client version and the SHA1 hash of the torrent currently in use and watched on the target. Note that all these parameters (client IP, port and torrent's hash) are publicly available on the tracker. ### === 3) The Code === http://aluigi.org/poc/ruttorrent.zip ### == 4) Fix == uTorrent 1.7.6 (build 7859) released the same day I reported the vulnerability, great job! Actually there are no info about when the new version or build of BitTorrent will be released. ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70
Marcello Barnaba (void) <[EMAIL PROTECTED]> wrote: > By the way, even with "Transport setup" -> "Automatic", the software > doesn't crash nor loops after reading the HTTP payload An hypotesis is a possible different behaviour depending by the version of Mac OS, probably bypassable using a modified proof-of-concept or just not at all. I have found the following post (in french) which reports a detailed test made using the latest version of Quicktime on Mac OS X 10.4.11 PPC and Mac OS X 10.5.1 Intel: http://forum.macbidouille.com/index.php?act=ST&f=8&t=251685#entry2512134 On both the platforms the code flow has pointed to the return address specified in the proof-of-concept (on PPC 0x01010119 is just the 0x01 sequence of bytes which was in my PoC before the 'A' sequence). Anyway this mail is also for pointing out a new customizable proof-of-concept which I have written yesterday and that can be used to fully executing code remotely after having passed the needed valid parameters (my PoC doesn't contain shellcodes, it must be provided as external file in the classical C/Perl/hexadecimal format like, for example, those available on The Metasploit Project): http://aluigi.org/poc/quicktimebof.zip The success of the exploitation depends by various factors, for example here using the "QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3" link and the PoC launched as: quicktimebof 2134 0x675b29eb shellcode.txt I have been able to execute code on my Quicktime 7.31.70 (default options) with a success percentage of almost 100% on both localhost and LAN, but other ways (like QTL or the manual loading of the URL from the program for example) could produce different effects and could be necessary to modify my PoC or the offset of the return address or just a bit the rtsp URL (moreover its length as noticed from the tests made here). The method used in the PoC is very simple: When the code flow goes on the return address specified by the attacker the EAX register points to the offset of our error message string on which starts our custom return address (so, in short, EAX + 4 is our shellcode). 0x675b29eb is a "CALL EAX" located in QuickTimeStreaming.qtx, so when it will be executed our code flow will point just to "eb 29 5b 67 nops shellcode" which is traduced as "JMP +0x29" and will allow to execute the shellcode located after the 41 bytes skipped by the JMP. The 302 redirect used in my PoC has been added because during my tests gave better results. Naturally mine is only an idea on which I worked for testing in practice the effects of the bug here on my system (Windows XP SP2), so anyone can find better methods and solutions moreover about the "compability". --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70
"Marcello Barnaba (void)" <[EMAIL PROTECTED]> wrote: > Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn't > try to connect to port 80 if 554 is closed. > ... > yea i second that i tested on Vista and it doesnt attempt to redirect > to the port 80 there must be another condition that u have specified > that allows for redirection Uhmmm I imagine you are the same Marcello of yesterday, right? Who else could be? Well, first some technical informations. When the rtsp url is called (and no custom port has been specified) Quicktime performs 3 types of consecutive connections, something like a scanning: - port 554 (rtsp) using the rtsp protocol (DESCRIBE) - port 7070 (pnm) using the rtsp protocol (DESCRIBE) - port 80 (http) using the http protocol (GET) Everything can be seen at offset 0x675A32C9 of QuickTimeStreaming.qtx where ECX has the value of 1, 2 and 3 relatively to the previous "stages" (4 means "give up"). As already said in my advisory the exploitation happens in the passing to the http protocol (that's why if you contact port 80 directly nothing happens). I don't know if exist better or easier ways to exploit this vulnerability but in my opinion this one is already excellent. Now instead we arrive to what leads to "your" problems. If the connection times out Quicktime automatically considers the remote host as unreacheable and will no longer continue the "protocol switching". For example if port 554 is closed it passes to port 7070, and if port 7070 is filtered (timeout) Quicktime gives up and doesn't check port 80. Anyone can test this thing personally for example using a link like rtsp://aluigi.org/file.mp3 because port 554 and 7070 are filtered there so Quicktime will give you "disconnected" without trying the "sequence" (tdimon, api spy softwares and sniffers are your friends). Naturally what I have said has been tested also on Vista (luckily I have a friend enough brave to have this so-called OS installed) where I successfully crashed the client. Now talking about you, Marcello, the problem you had is just with "your" same computer/network, probably you have a firewall or something else (a "condition" as you define it) that simply makes your ports to appear filtered/timedout and so Quicktime gives up. The funny thing is that this was also the most logical conclusion, if I have a broken finger it's normal that everywhere I touch my body I feel pain so if all the world has successfully tested and confirmed this vulnerability and you are the only one on the Earth which after changing OS has the problem the possible causes are not so much... So, concluding, Quicktime Player 7.3.1.70 IS and remains vulnerable indipendently by the operating system on which it runs, Windows XP, Windows Vista, Mac OS X, Y, Z and so on. BYEZ --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70
### Luigi Auriemma Application: Quicktime Player http://www.apple.com/quicktime Versions: <= 7.3.1.70 Platforms:Windows and Mac Bug: buffer-overflow Exploitation: remote Date: 10 Jan 2008 Thanx to: swirl for the help during the re-testing of the bug Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Quicktime is a well known media player developed by Apple. ### == 2) Bug == The problem is a buffer-overflow which happens during the filling of the LCD-like screen containing info about the status of the connection. For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed Quicktime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen. During my tests I have been able to fully overwrite the return address anyway note that the visible effects of the vulnerability could change during the usage of the debugger (in attaching mode it's everything ok). ### === 3) The Code === http://aluigi.org/poc/quicktimebof.txt nc -l -p 80 -v -v -n < quicktimebof.txt and then QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3 ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pre-auth remote commands execution in SAP MaxDB 7.6.03.07
### Luigi Auriemma Application: SAP MaxDB https://www.sdn.sap.com/irj/sdn/maxdb http://www.sap.com Versions: <= 7.6.03 build 007 Platforms:Windows, Linux and Solaris Bug: pre-auth remote commands execution Exploitation: remote Date: 09 Jan 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === SAP MaxDB is a commercial and widely known and used database. ### == 2) Bug == The MaxDB server executes "cons.exe DATABASE COMMAND" through system() when some special commands are called by the user. Some of these special commands are "show" and "exec_sdbinfo" and this last one is just one of the small amount of commands which can be executed by the unauthenticated users before logging in. The usage of system() for executing the cons program allows an external unauthenticated attacker to execute any command he wants on the target SAP MaxDB server simply passing the "&&" or other patterns for the execution of multiple commands in the shell. So it's just enough to use the following SAP command to see the content of C: on Windows (the bug is naturally exploitable on any other platform supported by the server): exec_sdbinfo && echo dir c:\ | cmd.exe Then the rest and all the other possibilities of exploiting this vulnerability are in the fantasy of the attacker... ### === 3) The Code === http://aluigi.org/poc/sapone.zip ### == 4) Fix == No fix ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pre-auth buffer-overflow in mySQL through yaSSL
The following is a proof-of-concept for testing the buffer-overflow which affects yaSSL <= 1.7.5 on mySQL servers, any version, included the latest 6.0.3: http://aluigi.org/poc/mysqlo.zip The vulnerability is exploitable before authentication so the only requirements for testing it are the usage of SSL on the server and naturally having an IP address with access to the database. By default mySQL uses yaSSL (1.6.0) for avoiding licences conflicts, anyway if the test server has been compiled with specific OpenSSL support it is NOT vulnerable. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in yaSSL 1.7.5
###
Luigi Auriemma
Application: yaSSL
http://www.yassl.com
Versions: <= 1.7.5
Platforms:Windows and *nix
Bugs: A] buffer-overflow in ProcessOldClientHello
B] buffer-overflow in "input_buffer& operator>>"
C] invalid memory access in HASHwithTransform::Update
Exploitation: remote
Date: 04 Jan 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
yaSSL is an open source SSL library mainly used in MySQL and in other
projects.
On MySQL, if SSL support is enabled, is possible to use this
vulnerability for pre-authentication code execution.
###
===
2) Bugs
===
---
A] buffer-overflow in ProcessOldClientHello
---
The buffer which contains the data received by the client in the Hello
packet has the following structure (from yassl_imp.hpp):
class ClientHello : public HandShakeBase {
ProtocolVersion client_version_;
Random random_;
uint8 id_len_; // session id length
opaque session_id_[ID_LEN];
uint16 suite_len_; // cipher suite length
opaque cipher_suites_[MAX_SUITE_SZ];
uint8 comp_len_; // compression length
CompressionMethod compression_methods_;
...
where ID_LEN is 32 elements long, MAX_SUITE_SZ 64 and RAN_LEN (Random)
is 32.
The ProcessOldClientHello function called when an old version of the
Hello packet is received doesn't have the needed checks for limiting
the amount of data which will fill these 3 fields leading to a
buffer-overflow vulnerability exploitable for executing code remotely.
>From handshake.cpp:
void ProcessOldClientHello(input_buffer& input, SSL& ssl)
...
ClientHello ch;
...
for (uint16 i = 0; i < ch.suite_len_; i += 3) {
byte first = input[AUTO];
if (first) // sslv2 type
input.read(len, SUITE_LEN); // skip
else {
input.read(&ch.cipher_suites_[j], SUITE_LEN);
j += SUITE_LEN;
}
}
ch.suite_len_ = j;
if (ch.id_len_)
input.read(ch.session_id_, ch.id_len_);
if (randomLen < RAN_LEN)
memset(ch.random_, 0, RAN_LEN - randomLen);
input.read(&ch.random_[RAN_LEN - randomLen], randomLen);
...
B] buffer-overflow in "input_buffer& operator>>"
Another buffer-overflow is located in the function used for handling
the normal Hello packet but in this case doesn't seem possible (or
easily possible) to exploit this vulnerability for executing code.
>From yassl_imp.cpp:
input_buffer& operator>>(input_buffer& input, ClientHello& hello)
...
hello.id_len_ = input[AUTO];
if (hello.id_len_) input.read(hello.session_id_, ID_LEN);
// Suites
byte tmp[2];
tmp[0] = input[AUTO];
tmp[1] = input[AUTO];
ato16(tmp, hello.suite_len_);
input.read(hello.cipher_suites_, hello.suite_len_);
...
-
C] invalid memory access in HASHwithTransform::Update
-
The usage of a too big size value in the Hello packet leads to a crash
of the library through the reading of data outside the memory
containing the incoming packet.
>From hash.cpp:
void HASHwithTransform::Update(const byte* data, word32 len)
{
// do block size increments
word32 blockSz = getBlockSize();
byte* local = reinterpret_cast(buffer_);
while (len) {
word32 add = min(len, blockSz - buffLen_);
memcpy(&local[buffLen_], data, add);
...
###
===
3) The Code
===
http://aluigi.org/poc/yasslick.zip
###
==
4) Fix
==
A mail has been sent to the developers yesterday during my tests only
to inform them of the vulnerabilities.
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Georgia SoftWorks SSH2 Server 7.01.0003
### Luigi Auriemma Application: Georgia SoftWorks SSH2 Server (GSW_SSHD) http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm Versions: <= 7.01.0003 Platforms:Windows Bugs: A] format string in the log function B] buffer-overflow in the log function C] buffer-overflow in the handling of the password Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel for the telnet server GS_Tnet.exe. ### === 2) Bugs === A] format string in the log function The logging function used by the server is affected by a format string vulnerability caused by the usage of vsprintf for building the first message (like "LoginPassword(%s(%s)[%u])") and the usage of another vsprintf for building the final log entry. The bug can be exploitable through the username field. -- B] buffer-overflow in the log function -- A buffer-overflow vulnerability is located in the same logging function. It's enough to use an username longer than 1 chars to exploit the vulnerability. -- C] buffer-overflow in the handling of the password -- The server is affected also by another buffer-overflow this time located in the instructions which handle the password supplied by the client exploitable through a string longer than 800 chars. ### === 3) The Code === http://aluigi.org/poc/gswsshit.zip ### == 4) Fix == No fix ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and format string in White_Dune 0.29beta791
###
Luigi Auriemma
Application: White_Dune
http://vrml.cip.ica.uni-stuttgart.de/dune/
Versions: <= 0.29beta791
Platforms:Unix/Linux/MacOSX and Windows
Bugs: A] buffer-overflow in Scene::errorf
B] format string in ImportFile
Exploitation: local
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
White_Dune is an open source editor/viewer for the VRML97 files.
###
===
2) Bugs
===
---
A] buffer-overflow in Scene::errorf
---
A buffer-overflow vulnerability is located in the function which builds
the error messages for the problems happened during the parsing of the
WRL file.
>From Scene.cpp:
void
Scene::errorf(const char *fmt, ...)
{
va_list ap;
char buf[1024], buf2[1024];
const char *url = "";
va_start(ap, fmt);
vsprintf(buf, fmt, ap);
if (TheApp->getImportURL() != NULL)
url = TheApp->getImportURL();
mysnprintf(buf2, 1024, "%s %d: %s", url, lineno, buf);
_compileErrors += buf2;
}
--
B] format string in ImportFile
--
Another problem related to the handling of the errors.
After the building of the error message the parse() function returns
immediately and swDebugf() is called for visualizing it to stderr or to
the debugger without using the needed format argument required by the
function.
>From DuneApp.cpp:
DuneApp::ImportFile(const char *openpath, Scene* scene, bool protoLibrary,
Node *node, int field)
...
if (errors[0]) {
swMessageBox(_mainWnd, errors, "Parse Errors", SW_MB_OK, SW_MB_WARNING);
swDebugf(errors);
...
###
===
3) The Code
===
http://aluigi.org/poc/whitedunboffs.zip
###
==
4) Fix
==
Version 0.29beta795
#######
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in CoolPlayer 217
### Luigi Auriemma Application: CoolPlayer http://coolplayer.sourceforge.net Versions: <= 217 Platforms:Windows Bug: buffer-overflow in CPLI_ReadTag_OGG Exploitation: local Date: 28 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === CoolPlayer is a tiny open source media player for Windows. ### == 2) Bug == The tags in the OGG Vorbis files are handled by the CPLI_ReadTag_OGG function which uses sscanf for storing the tag's name and its value in two stack buffers but the lack of size limiters in the format argument results in a buffer-overflow. >From CPI_PlaylistItem.c: void CPLI_ReadTag_OGG(CPs_PlaylistItem* pItem) ... char cTag[128]; char cValue[2048]; if(sscanf(pComment->user_comments[iCommentIDX], " %[^= ] = %[^=]", cTag, cValue) == 2) ... ### === 3) The Code === vorbiscomment -t cTag=AAA_2500_A's_AAA -a input.ogg output.ogg ### == 4) Fix == The problem has been reported to the developers which have said that will work on this and on any other old public bug. ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in libnemesi 0.6.4-rc1
###
Luigi Auriemma
Application: libnemesi
http://live.polito.it/documentation/libnemesi
Versions: <= 0.6.4-rc1
Platforms:*nix
Bugs: A] buffer-overflow in handle_rtsp_pkt
B] buffer-overflow in the send_*_request functions
C] buffer-overflow in get_transport_str_*
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
libnemesi is an open source client library for implementing the
RTSP/RTP streaming playback easily.
The library has been written by the italian team of the Politecnico di
Torino University for the LScube project.
###
===
2) Bugs
===
-
A] buffer-overflow in handle_rtsp_pkt
-
handle_rtsp_pkt is the function used for checking the server's reply,
it uses a buffer of 32 bytes called ver for containing the version sent
by the server (like HTTP/1.0) using a sscanf without size limitations.
>From rtsp/rtsp_handlers.c:
int handle_rtsp_pkt(rtsp_thread * rtsp_th)
{
char ver[32];
int opcode;
...
if (sscanf((rtsp_th->in_buffer).data, "%s ", ver) < 1) {
...
The same bug exists also in the check_status function located in
rtsp_internals.c but naturally can't be reached since handle_rtsp_pkt
is called (and exploited) for first.
--
B] buffer-overflow in the send_*_request functions
--
The send_*_request functions available in rtsp/rtsp_send.c
(send_pause_request, send_play_request, send_setup_request and
send_teardown_request) are vulnerable to various buffer-overflow
vulnerabilities caused by the usage of buffers initialized using 256
bytes plus the size of one parameter without considering all the others
received by the server like, for example, Content-Base.
-
C] buffer-overflow in get_transport_str_*
-
Another buffer-overflow vulnerability is available in the
get_transport_str_sctp, get_transport_str_tcp and get_transport_str_udp
functions in which is used strncpy in a wrong way.
In fact the size parameter is not referred to the size of the
destination buffer but to the source one.
>From rtsp/rtsp_transport.c:
int get_transport_str_sctp(rtp_session * rtp_sess, char * tkna, char * tknb) {
char str[256];
uint16_t stream;
do {
if ((tkna = strstrcase(tknb, "server_streams"))) {
for (; (*tkna == ' ') || (*tkna != '='); tkna++);
for (tknb = tkna++; (*tknb == ' ') || (*tknb != '-');
tknb++);
strncpy(str, tkna, tknb - tkna);
...
###
===
3) The Code
===
http://aluigi.org/poc/libnemesibof.zip
nc -l -p 554 -v -v -n < bof1.txt
nc -l -p 554 -v -v -n < bof2.txt
nc -l -p 554 -v -v -n < bof3.txt
###
==
4) Fix
==
Version 0.6.4-rc2
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Feng 0.1.15
###
Luigi Auriemma
Application: Feng
http://live.polito.it/documentation/feng
Versions: <= 0.1.15
Platforms:*nix
Bugs: A] first buffer-overflow in RTSP_valid_response_msg
B] second buffer-overflow in RTSP_valid_response_msg
C] crash in RTSP_remove_msg
D] NULL pointer in parse_transport_header
E] NULL pointer in parse_play_time_range
F] NULL pointer in log_user_agent
G] NULL pointer in Netembryo 0.0.4
Exploitation: remote
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Feng is an open source RTSP/RTP streaming server written by the italian
team of the Politecnico di Torino University for the LScube project.
###
===
2) Bugs
===
---
A] first buffer-overflow in RTSP_valid_response_msg
---
A buffer-overflow vulnerability is exploitable through a stack buffer
of 15 bytes called trash used as destination by sscanf without the
needed size limits.
>From rtsp/RTSP_state_machine.c:
int RTSP_valid_response_msg(unsigned short *status, char *msg, RTSP_buffer *
rtsp)
// This routine is from BP.
{
char ver[32], trash[15];
unsigned int stat;
unsigned int seq;
int pcnt;/* parameter count */
*ver = *msg = '\0';
/* assuming "stat" may not be zero (probably faulty) */
stat = 0;
pcnt =
sscanf(rtsp->in_buffer, " %31s %u %s %s %u\n%255s ", ver, &stat,
trash, trash, &seq, msg);
...
B] second buffer-overflow in RTSP_valid_response_msg
A buffer-overflow vulnerability is exploitable through a stack buffer
of 100 bytes called msg used as destination by sscanf limited to 255
bytes in the function RTSP_valid_response_msg.
>From rtsp/RTSP_state_machine.c:
int RTSP_handler(RTSP_buffer * rtsp)
{
unsigned short status;
char msg[100];
...
op = RTSP_valid_response_msg(&status, msg, rtsp);
...
int RTSP_valid_response_msg(unsigned short *status, char *msg, RTSP_buffer *
rtsp)
...
sscanf(rtsp->in_buffer, " %31s %u %s %s %u\n%255s ", ver, &stat,
trash, trash, &seq, msg);
...
---
C] crash in RTSP_remove_msg
---
An integer overflow is exploitable through the RTP packets.
Using a 16 bit size value of 0x is possible to force the server to
move 4294967293 bytes in the destination buffer:
RTSP_BUFFERSIZE = 65536
len = 65539 (4 of hdrlen + 0x)
result = -3
>From rtsp/RTSP_lowlevel.c:
void RTSP_remove_msg(int len, RTSP_buffer * rtsp)
{
rtsp->in_size -= len;
if (rtsp->in_size && len) {/* discard the message from the in_buffer. */
memmove(rtsp->in_buffer, &(rtsp->in_buffer[len]),
RTSP_BUFFERSIZE - len);
memset(&(rtsp->in_buffer[len]), 0, RTSP_BUFFERSIZE - len);
}
}
-
D] NULL pointer in parse_transport_header
-
>From rtsp/RTSP_setup.c:
static RTSP_Error parse_transport_header(RTSP_buffer * rtsp,
...
p = strstr(p, "=");
sscanf(p + 1, "%d", &(cli_ports.RTP));
p = strstr(p, "-");
sscanf(p + 1, "%d", &(cli_ports.RTCP));
...
p = strstr(p, "=");
sscanf(p + 1, "%d", &rtp_ch);
...
p = strstr(p, "=");
sscanf(p + 1, "%d", &rtp_ch);
...
E] NULL pointer in parse_play_time_range
>From rtsp/RTSP_Play:
static RTSP_Error parse_play_time_range(RTSP_buffer * rtsp, play_args * args)
...
q = strchr(q, '=');
if (get_utc(&(args->playback_time), q + 1) != ERR_NOERROR) {
...
-
F] NULL pointer in log_user_agent
-
The log
[Full-disclosure] Buffer-overflow in Extended Module Player 2.5.1
###
Luigi Auriemma
Application: Extended Module Player (XMP)
http://xmp.sourceforge.net
Versions: <= 2.5.1
Platforms:Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
OS/2 and AmigaOS
Bugs: A] buffer-overflow in test_oxm / decrunch_oxm
B] buffer-overflow in dtt_load
Exploitation: local
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.
###
===
2) Bugs
===
-
A] buffer-overflow in test_oxm / decrunch_oxm
-
The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.
from misc/oxm.c:
int test_oxm(FILE *f)
{
int i, j;
int hlen, npat, len, plen;
int nins, nsmp, ilen;
int slen[256];
uint8 buf[1024];
...
ilen = read32l(f);
if (ilen > 263)
return -1;
fseek(f, -4, SEEK_CUR);
fread(buf, ilen, 1, f); /* instrument header */
...
The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.
--
B] buffer-overflow in dtt_load
--
Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.
from loaders/dtt_load.c:
static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)
...
uint32 pofs[256];
uint8 plen[256];
int sdata[64];
...
m->xxh->pat = read32l(f);
...
for (i = 0; i < m->xxh->pat; i++)
pofs[i] = read32l(f);
...
###
===
3) The Code
===
http://aluigi.org/poc/xmpbof.zip
###
==
4) Fix
==
The bugs will be fixed in the next version.
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and format string in VideoLAN VLC 0.8.6d
###
Luigi Auriemma
Application: VideoLAN (VLC)
http://www.videolan.org
Versions: <= 0.8.6d
Platforms:Windows, Mac, *BSD, *nix and more
Bugs: A] buffer-overflow in the handling of the subtitles
(originally found by Michal Luczaj)
B] format string in the web interface
Exploitation: A] local
B] remote
Date: 24 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
VideoLAN (VLC) is one of the most famous and used media players for
various reasons: simple to use, open source, multi platform, many
features available, continuosly updated and more.
###
===
2) Bugs
===
---
A] buffer-overflow in the handling of the subtitles
---
VLC is able to handle the subtitles automatically in a very simple way,
it just checks the presence of ssa files with the same name of the
loaded video and a possible subtitles folder.
The functions which handle the MicroDvd, SSA and Vplayer subtitle
formats are vulnerable to some stack based buffer-overflow
vulnerabilities which can allow an attacker to execute malicious code.
from modules\demux\subtitle.c:
static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[MAX_LINE + 1];
...
if( sscanf( s, "{%d}{}%[^\r\n]", &i_start, buffer_text ) == 2 ||
sscanf( s, "{%d}{%d}%[^\r\n]", &i_start, &i_stop, buffer_text ) ==
3)
static int ParseSSA( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[ 10 * MAX_LINE];
char buffer_text2[ 10 * MAX_LINE];
...
if( sscanf( s,
"Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%[^\r\n]",
buffer_text2,
&h1, &m1, &s1, &c1,
&h2, &m2, &s2, &c2,
buffer_text ) == 10 )
static int ParseVplayer( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[MAX_LINE + 1];
...
if( sscanf( p, "%d:%d:%d%[ :]%[^\r\n]", &h, &m, &s, &c, buffer_text )
== 5 )
As written in the header of this advisory, these buffer-overflow bugs
have been originally found and reported by Michal Luczaj this summer
and the strange thing is that the SVN is fixed from that time BUT the
current 0.8.6d (both executables and source code!) is still vulnerable.
References:
http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html
http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html
http://trac.videolan.org/vlc/browser/trunk/modules/demux/subtitle.c?rev=20715
-
B] format string in the web interface
-
VLC can be controlled remotely through a nice web interface (a mini
http server) which runs by default on port 8080.
The instructions which handle the Connection parameter sent by the
client pass its content to the httpd_MsgAdd function without the
needed format argument.
In addition the new formatted Connection field is also sent back by the
server in its reply, very useful for the attacker to tune the own
exploit for increasing the percentage of success of the attack.
from network\httpd.c:
static int httpd_FileCallBack( httpd_callback_sys_t *p_sys, httpd_client_t *cl,
httpd_message_t *answer, httpd_message_t *query )
...
psz_connection = httpd_MsgGet( &cl->query, "Connection" );
if( psz_connection != NULL )
{
httpd_MsgAdd( answer, "Connection", psz_connection );
}
###
===
3) The Code
===
http://aluigi.org/poc/vlcboffs.zip
A] open vlcbof.avi and the ssa subtitle will be loaded automatically
B] nc SERVER 8080 -v -v < vlcfs.txt
###
==
4) Fix
==
Current SVN is fixed.
The nightly builds are available here:
http://nightlies.videolan.org
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Double directory traversal in ImgSvr 0.6.21
### Luigi Auriemma Application: Ada Image server (ImgSvr) http://adaimgsvr.sourceforge.net Versions: <= 0.6.21 and SVN <= 28 Platforms:Windows and *nix Bug: directory traversal Exploitation: remote Date: 24 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From developer's website: "ImgSvr is a personal or corporate Embedded Picture Web Server that let's you efficiently browse digital pictures. Contrary to other gallery systems, imgsvr aimed to be an easy and fully dynamic picture server, no static created thumbnails are created." ### == 2) Bug == A directory traversal vulnerability can be exploited through the usage of additional chars before the URI. In my tests was good any byte except NULL, line feed, ?, :, slash and backslash (so an amount of valid chars between 248 and 251 depending by the location of the char and if has been used the hex format). A secondary type of directory traversal is exploitable through the template parameter. If the root directory of the server is protected by authentication, the attacker must know the right username and password. ### === 3) The Code === GET hello../../../../../boot.ini HTTP/1.0 GET anything_you_want../..%2f../%2e.%5c..%5cboot.ini HTTP/1.0 http://SERVER:1235/?template=..\..\..\..\boot.ini ### == 4) Fix == The problems will be fixed in the next version. ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unicode buffer-overflow in Zoom Player 6.00b2
### Luigi Auriemma Application: Zoom Player http://www.inmatrix.com Versions: <= v6.00 beta 2 and naturally all the stable v5 versions Platforms:Windows Bug: unicode buffer-overflow Exploitation: local Date: 24 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Zoom Player is a media player for Windows which supports many formats through external filters. ### == 2) Bug == Zoom Player is affected by an unicode buffer-overflow in the function which builds the error messages. The problem can be exploited for example through a malformed ZPL file containing a http link to a file with PLS extension which will force the program to use wsprintf for building the "Unable to play [%s]" error message. ### === 3) The Code === http://aluigi.org/poc/zoomprayer.zpl ### == 4) Fix == The next beta will contain the fix. ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in WinUAE 1.4.4
###
Luigi Auriemma
Application: WinUAE
http://www.winuae.net
Versions: <= 1.4.4
Platforms:Windows
Bug: buffer-overflow
Exploitation: local
Date: 21 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
WinUAE is the most known and used Amiga emulator for Windows.
A note about this advisory:
UAE (and consequently WinUAE) is affected by some design bugs which
introduce other security problems (as pointed by the same developer)
so I focused only on the following non-design security bug.
###
==
2) Bug
==
WinUAE supports various types of compressed floppy disk images.
Gzip compression (images with gz, adz, roz and hdz extensions) is
handled by an internal function called zfile_gunzip in which is used a
stack buffer of 1000 (MAX_DPATH) bytes for including the name of the
file available in the gzipped archive.
The instructions which copy the name from the archive to the buffer
don't check it's length allowing an attacker to exploit the subsequent
buffer-overflow for executing malicious code.
>From zfile.c:
struct zfile *zfile_gunzip (struct zfile *z)
{
uae_u8 header[2 + 1 + 1 + 4 + 1 + 1];
z_stream zs;
int i, size, ret, first;
uae_u8 flags;
long offset;
char name[MAX_DPATH];
uae_u8 buffer[8192];
...
do {
zfile_fread (name + i, 1, 1, z);
} while (name[i++]);
...
###
===
3) The Code
===
http://aluigi.org/poc/winuaebof.zip
###
==
4) Fix
==
Version 1.4.5
#######
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Array overflow in id3lib (devel CVS)
###
Luigi Auriemma
Application: id3lib
http://id3lib.sourceforge.net
Versions: only devel (CVS)
stable (3.8.3) is NOT affected
Platforms:Windows, *nix and Mac
Bug: array overflow
Exploitation: local
Date: 19 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
id3lib is a well known and used library for handling the ID3 tags in
the audio files.
Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).
###
==
2) Bug
==
The problem is in the extflags array (a pointer to array) which has a
size of only one element while the extflagbytes can support from 0 to
255 elements.
So, using a extflagbytes of 0 will be caused a crash since the
subsequent instructions consider extflags[0] initialized while using
higher values is possible to overflow this small array.
>From header_tag.cpp:
void ID3_TagHeader::ParseExtended(ID3_Reader& reader)
...
const int extflagbytes = reader.readChar(); //Number of flag bytes
ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes
should be equal to 1 for (i = 0; i < extflagbytes; ++i)
{
extflags[i] = new ID3_Flags;
extflags[i]->set(reader.readChar()); //flags
}
I have many doubts about the real exploitation of this overflow for
executing malicious code, but I can't exclude it at all.
###
===
3) The Code
===
http://aluigi.org/poc/id3libexec.zip
###
==
4) Fix
==
I have sent a mail to the developers but later I have read on the
mailing-list of the project that the development of id3lib is
practically dead.
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in PeerCast 0.1217
###
Luigi Auriemma
Application: PeerCast
http://www.peercast.org
Versions: <= 0.1217 and SVN <= 344
Platforms:Windows, plugin for Winamp, Linux and Mac
Bug: heap overflow
Exploitation: remote
Date: 17 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
PeerCast is a multi platform open source software for peer2peer radio
streaming.
The broadcasters are visible at http://yp.peercast.org
###
==
2) Bug
==
The handshakeHTTP function which handles all the requests received by
the other clients is vulnerable to a heap overflow which allows an
attacker to fill the loginPassword and loginMount buffers located in
the Servent class with how much data he wants.
>From servhs.cpp:
void Servent::handshakeHTTP(HTTP &http, bool isHTTP)
{
char *in = http.cmdLine;
...
}else if (http.isRequest("SOURCE"))
{
if (!isAllowed(ALLOW_BROADCAST))
...
mount = in+strlen(in);
while (*--mount)
if (*mount == '/')
{
mount[-1] = 0; // password preceeds
break;
}
strcpy(loginPassword,in+7);
..
if (mount)
strcpy(loginMount,mount);
...
ALLOW_BROADCAST ("allowBroadcast" in peercast.ini) is enabled by
default.
###
===
3) The Code
===
http://aluigi.org/poc/peercasthof.zip
###
==
4) Fix
==
Version 0.1218 or SVN 347
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in BadBlue 2.72b
### Luigi Auriemma Application: BadBlue http://www.badblue.com Versions: <= 2.72b Platforms:Windows Bugs: A] PassThru buffer-overflow B] upload directory traversal C] path disclosure Exploitation: remote Date: 10 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === BadBlue is a commercial web server for sharing files easily. ### === 2) Bugs === --- A] PassThru buffer-overflow --- When the PassThru command of ext.dll is invoked the BadBlue server takes the rest of the URI received by the client and copies it in a stack buffer of 4096 bytes using strcpy() and causing a buffer overflow. - B] upload directory traversal - Using the upload feature is possible for an attacker to upload a specific file outside the destination folder with also the possibility of overwriting existent files, included ext.ini which contains all the configuration of the server. -- C] path disclosure -- The full path of the webserver is visible when using the "?&browse=" parameter on an unexistent folder, useful in conjunction with bug B. ### === 3) The Code === A] http://aluigi.org/poc/badbluebof.txt nc SERVER 80 -v -v < badbluebof.txt B] http://aluigi.org/testz/myhttpup.zip myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0 C] http://SERVER/blah/?&browse= ### == 4) Fix == No fix. I was waiting a second mail from the developers but nothing after almost two weeks. ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Filesystem access in DOSBox 0.72
###
Luigi Auriemma
Application: DOSBox
http://dosbox.sourceforge.net
Versions: <= 0.72 and current CVS
Platforms:Windows, Linux, *BSD and Mac
Bug: access to the filesystem
Exploitation: local
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
DOSBox is an excellent emulator for running software written for the
DOS environment like programs and games (moreover abandonware games
which are very used today).
###
==
2) Bug
==
DOSBox acts as a virtual machine in which the filesystem is limited to
the folders that the user decides to mount as virtual drives and any
instruction is emulated within DOSBox without accessing the external
resources and memory.
So practically the emulated DOS program can work only inside this
"cage" (that's also why is possible to run viruses and malware without
problems for the system).
Anyway although these limitations exists a very simple way to gain
access to the entire real filesystem (so not only the virtual one)
because the MOUNT command used by DOSBox for mounting the real folders
as virtual drives can be called just by the same emulated program.
In short if the program executes system("mount x c:\"); it gains
read/write access to the C: disk where is then possible to modify
all the files on which the user has access (like for example placing
the execution of a program at the next reboot or substituiting a valid
executable with a custom one).
MOUNT is not the only DOSBox related command available (check the Z:
disk) but is the only one which has a real security impact if executed.
###
===
3) The Code
===
http://aluigi.org/poc/dosboxxx.zip
###
==
4) Fix
==
The developers don't think this can be considered a security problem
while in my opinion doing something outside the environment created by
the virtual machine must be considered a risk.
#######
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in BarracudaDrive 3.7.2
###
Luigi Auriemma
Application: BarracudaDrive Web Server
http://barracudaserver.com/products/BarracudaDrive/
http://barracudaserver.com/products/HomeServer/
Versions: <= 3.7.2
Platforms:Windows
Bugs: A] directory traversal
B] scripts source visualization
C] arbitrary files deleting by users
D] NULL pointer crash in chat.ehintf by users
E] html injection in the trace viewer
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Barracuda Drive is a commercial webserver developed by Real Time Logic
and contains many features.
###
===
2) Bugs
===
--
A] directory traversal
--
A directory traversal vulnerability is exploitable through the usage of
a backslash or any other char major than 0x7f at the beginning of the
URI.
The directories must be delimited by backslashes (and not slashes) for
exploiting the bug.
---
B] scripts source visualization
---
All the custom scripts in the server (like the LUA scripts with lsp
extension) can be visualized entirely instead of being executed simply
using a '+', a dot or any other char major than 0x7f after the script's
name.
C] arbitrary files deleting by users
BarracudaDrive allows the admin to create users which can then access
their personal folders, chating between them and so on.
The problem here is that these authenticated users can delete files and
empty folders anywhere in the disk on which is located their personal
directory simply using the usual ..\ pattern.
Note that is also possible to create directories in the disk using the
same trick but this is not a real security problem.
-
D] NULL pointer crash in chat.ehintf by users
-
As already said the users can also chat between them using a simple
web interface called Group Chat.
In this case it's enough to avoid the passing of the Connection ID of
the user in the URI for crashing the entire server due to a NULL
pointer.
-
E] html injection in the trace viewer
-
BarracudaDrive logs any bad or wrong HTTP request received by the
clients and the Trace page in the admin interface can be used to
visualize these log files.
The problem is that they are visualized as HTML and there are no checks
or limitations on their content so a remote attacker can use this bug
for injecting scripts in these files, for example for retrieving the
cookie of the admin and gaining access to the server configuration.
###
===
3) The Code
===
A]
http://SERVER/\..\..\..\boot.ini
http://SERVER/%80..\..\..\boot.ini
http://SERVER/%ff..\bdlicense.dat
B]
http://SERVER/lua.lsp+
http://SERVER/lua.lsp.
http://SERVER/lua.lsp%80
C]
POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
Host: SERVER
Cookie: "use the real user's cookie!"
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
dir=..\..\..\file.txt
D]
POST /eh/chat.ehintf/C. HTTP/1.1
Host: SERVER
Content-Type: text/plain
Content-Length: 0
Cookie: "use the real user's cookie!"
E]
GET alert('hello'); HTTP/1.0
###
==
4) Fix
==
Version 3.8
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Upload directory traversal in Easy File Sharing 4.5
### Luigi Auriemma Application: Easy File Sharing Web Server http://www.sharing-file.com Versions: <= 4.5 Platforms:Windows Bugs: A] upload directory traversal B] download of database files C] possibility of reading sensitive files Exploitation: remote Date: 07 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Easy File Sharing Web Server is a commercial file sharing software which allows the downloading and the uploading of files through the web browser. ### === 2) Bugs === - A] upload directory traversal - An attacker can upload a specific file outside the destination folder with the possibility of overwriting those already existent using the upload feature available for the user's folder, the forum and the other possible virtual folders. The attacker must have the needed privileges for uploading files (by default guests can upload files on the forum so in this case there are no problems) and "Allow files to be overwritten" (enabled by default) must be active for owerwriting the existent files. - B] download of database files - All the .sdb database files (MyDB, http://www.mghsoft.com) except admin.sdb and user.sdb can be downloaded from external users which can retrieve some sensitive informations from them. These informations can be very useful in conjunction to the other vulnerabilities described in this advisory. - C] possibility of reading sensitive files - By default when an user registers an account on the server a new folder with his name is created in the users folder (by default c:\). If the user uses the same name of an existent file in that folder (for example boot.ini) he and any other external client will be able to read that file if they access to that virtual folder. Note that doesn't seem possible to use directory traversal tricks and directories. Due to the low risk of this bug it's reported here only for thoroughness. ### === 3) The Code === A] http://aluigi.org/poc/efsup.zip B] http://SERVER/vfolder.sdb C] create a new account using the name of a file existent in the users folder, for example boot.ini, then (without the need to login) go on http://SERVER/boot.ini and you will see the content of c:\boot.ini ### == 4) Fix == The bugs will be fixed in a future version. ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
