wp-02-0011: Jetty CGIServlet Arbitrary Command Execution
Westpoint Security Advisory Title:Jetty CGIServlet Arbitrary Command Execution Risk Rating: Medium Software: Jetty Servlet Container Platforms:Win32 (other platforms not tested) Vendor URL: www.mortbay.org Author: Matt Moore [EMAIL PROTECTED] Date: 1st October 2002 Advisory ID#: wp-02-0011.txt Overview: = Jetty is a 100% Java HTTP Server and Servlet Container. A flaw in the CGIServlet allows an attacker to execute arbitrary commands on the server. Details: Commands can be executed on the server by making requests like: http://jetty-server:8080/cgi-bin/..\..\..\..\..\..\winnt/notepad.exe Patch / Workaround Information: === The vendor responded quickly and has released a fixed version, 4.1.0 which can be downloaded from http://jetty.mortbay.org Excerpt from Vendor announcement at: http://groups.yahoo.com/group/jetty-announce/message/45 '4.1.0 also contains a priority security fix for the CGI servlet running on windows platforms. This remotely exploitable problem effects all previous versions of Jetty that use the CGI servlet on windows without a permissions file configured for the context. The CGI servlet from 4.1.0 may be used in 4.0 releases.' This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0011.txt
wp-02-0012: Carello 1.3 Remote File Execution (Updated 1/10/2002)
Westpoint Security Advisory Title:Carello 1.3 Remote File Execution Risk Rating: High Software: Carello Shopping Cart Platforms:Win2k, WinNT Vendor URL: www.carelloweb.com Author: Matt Moore [EMAIL PROTECTED] Date: 10th July 2002 Advisory ID#: wp-02-0012 Revision: Updated 22/02/2002 (see addendum) Overview: = Carello 1.3 is a web based shopping cart solution, which uses hidden HTML form fields to specify executables to handle POSTed form data. Details: Remote File Execution - Carello uses hidden form fields to specify the names of executables on the server which are to handle POSTed form data. This allows an attacker to manipulate the HTML to specify arbitrary executables, which the Carello server software will then run. For example, a typical section of an HTML page created by Carello looks like (angle brackets omitted): form method=POST action= http://server/scripts/Carello/Carello.dll; input type=hidden name=CARELLOCODE value=WESTPOINT input type=hidden name=VBEXE value= c:\inetpub\..carello-exe-file input type=etc etc Hence, by specifying a value like ' c:\..\..\..\..\..\..\..\.\winnt\notepad.exe ' an attacker can execute arbitrary files. Vendor response: The vendor indicated that the vulnerability will be fixed in the next version of Carello. When asked for an expected release date, they replied that: 'Unfortunately, we do not have a plan to upgrade the program so far. But I put your indication on our program modification request list.' This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt Addendum: = 22/02/2002 - New information. Westpoint would like to thank Peter Grundl of KPMG for providing additional information on this vulnerability: Exploitable via GET requests - The vulnerability can be exploited by making a GET request to the vulnerable .dll and specifying the 'VBEXE' as a parameter. Passing parameters to the invoked executable -- It is possible to pass parameters to the executables invoked using this vulnerability. For example: /scripts/Carello/Carello.dll?VBEXE= c:\.\winnt\system32\cmd.exe%20/c%20dir c:\dir.txt Carello attempts to verify that the VBEXE file specified is not in %systemroot% - prepending \.\ to the path circumvents this restriction.
wp-02-0003: MySQL Locally Exploitable Buffer Overflow
Westpoint Security Advisory Title: MySQL Locally Exploitable Buffer Overflow Risk Rating: Medium Software: mySQL Database v3.23.49-nt Platforms: Win32 (other platforms not tested) Vendor URL:www.mysql.com Author:Matt Moore [EMAIL PROTECTED] Date: 1st October 2002 Advisory ID#: wp-02-0003 CVE# CAN-2002-0969 Overview: = The Win32 version of MySQL has a locally exploitable buffer overflow condition which could allow an attacker to execute code in the context of the SYSTEM account if MySQL is running as an NT Service (which is the default). Details: MySQL reads a configuration file,'my.ini' from from either c:\my.ini or c:\WINNT\my.ini . The default ACL's for c:\my.ini allow the 'Everyone' group Full Control.The ACL's for c:\winnt are slightly more restrictive, but do allow members of the 'Power Users' NT Group write access. By supplying an overly long string for the 'datadir' parameter in my.ini, it is possible to overflow a buffer in mysqld-nt.exe, overwriting EIP, and hence executing arbitrary code in the context of the SYSTEM account. E.g. Change the entry for 'datadir' from: datadir=C:/mysql/data to: datadir=C:/AA... and restart the mySQl service or reboot the machine. Vendor Response: Fixed in the 3.23.50 release of MySQL and MySQL 4.0.2 Patch Information: == Upgrade to the latest version from www.mysql.com This advisory is available online at: www.westpoint.ltd.uk/advisories/wp-02-0003.txt
wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server
Westpoint Security Advisory Title: Multiple Vulnerabilities in SuperScout Web Reports Server Risk Rating: High Software: SurfControl SuperScout WebFilter Platforms: Win32 (WinNT/ Win2k) Vendor URL:www.surfcontrol.com Author:Matt Moore [EMAIL PROTECTED] Date: 1st October 2002 Advisory ID#: wp-02-0005 CVE#: CAN-2002-0705 - username/passwords accessible CAN-2002-0706 - weak encryption for passwords CAN-2002-0707 - large GET requests CAN-2002-0708 - Triple dot directory traversal CAN-2002-0709 - SQL injection Overview: = Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor and regulate their employees use of the internet. It offers comprehensive reporting capabilities, and provides a 'web' interface for report retrieval. Multiple vulnerabilities in the Web Reports Server could allow remote attackers to compromise the host on which SuperScout is installed and also modify or remove information from the database that it uses. Details: Usernames and Passwords Retrievable. The file located at: http://reports-server:/surf/scwebusers contains the usernames and passwords for each user of the reports server. The usernames are in plain text, whilst the passwords are encrypted. Weak Encryption --- The encryption is implemented via a simple JavaScript, located at: http://reports-server:/surf/JavaScript/UserManager.js The EncryptString function takes two parameters 'text string' and 'key'. Unfortunately, the key is hard-coded into another javaScript function and hence it is trivial to decrypt the passwords. (The key is 'test'). The default administrative password, '38' decrypts to 'admin'. As a result of this, an attacker can access any reports available on the server. DoS via Large GET request - Repeated large GET requests cause the reports service to consume 100% CPU, at which point it no longer services requests. The server does appear to recover eventually. However, this was not tested extensively. Triple Dot Directory Traversal -- An attacker can retrieve any file on the server via a simple directory traversal attack, e.g. http://reports-server:/.../.../.../.../.../.../.../winnt/win.ini SQL Injection Vulnerability --- The various reports available are implemented as .dll's. Several of these perform no input validation, and hence it is possible that an attacker could execute arbitrary SQL queries against the database: http://reports-server:/SimpleBar.dll/RunReport ?...various parameters Note: - The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for this returned the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/ html/_sample_mfc_httpsvr.asp The reports server appears to be based on a sample application from Microsoft. Other servers based on this may be vulnerable to the directory traversal and DoS attacks. Vendor Response: The vendor, SurfControl was initially contacted on 18/07/02. The vendor stated that they were looking at ways to deliver reports in different formats, and that these would encompass tighter security. They had no definite timescales for this, but suggested the following workaround (below). Patch Information: == No patch available. Vendor supplied workaround: Disable the reports server and consider using a terminal session to the server to access the reports. This advisory is available online at: http://www.westpoint.ltd.uk/wp-02-0005.txt
wp-02-0008: Apache Tomcat Cross Site Scripting
Westpoint Security Advisory Title:Apache Tomcat Cross Site Scripting Risk Rating: Low Software: Apache Tomcat v4.0.3 Platforms:WinNT, Win2k, Linux Vendor URL: jakarta.apache.org Author: Matt Moore [EMAIL PROTECTED] Date: 10th July 2002 Advisory ID#: wp-02-0008 Overview: = Apache Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. Tomcat has a couple of Cross Site Scripting vulnerabilities. Details: Cross Site Scripting By using the /servlet/ mapping to invoke various servlets / classes it is possible to cause Tomcat to throw an exception, allowing XSS attacks: tomcat-server/servlet/org.apache.catalina.servlets.WebdavStatus/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.ContainerServlet/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Context/SCRIPTalert(document.domain)/SCRIPT tomcat-server/servlet/org.apache.catalina.Globals/SCRIPTalert(document.domain)/SCRIPT Linux and Win32 versions of Tomcat are vulnerable. (angle brackets omitted) The DOS device name physical path disclosure bug reported recently by Peter Grundl can also be used to perform XSS attacks, e.g: tomcat-server/COM2.IMG%20src= Javascript:alert(document.domain) This is obviously Win32 specific. Vendor Response: None. Patch Information: == Upgrading to v4.1.3 beta resolves the DOS device name XSS issue. The workaround for the other XSS issues described above is as follows: The invoker servlet (mapped to /servlet/), which executes anonymous servlet classes that have not been defined in a web.xml file should be unmapped. The entry for this can be found in the /tomcat-install-dir/conf/web.xml file. Two Nessus plugins should be available to test for these vulnerabilities from www.nessus.org: apache_tomcat_DOS_Device_XSS.nasl apache_tomcat_Servlet_XSS.nasl This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0008.txt
wp-02-0007: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting
Westpoint Security Advisory Title: Microsoft SQLXML ISAPI Overflow and Cross Site Scripting Risk Rating:Medium Software: Microsoft SQLXML 3.0 / IIS 5.0 / SQLServer 2000 Platforms:Win2K Vendor URL: www.microsoft.com Author:Matt Moore [EMAIL PROTECTED] Date:12 June 2002 Advisory ID#:wp-02-0007.txt CVE#:CVE-CAN-2002-0186 (XSS) and CVE-CAN-2002-0187 (Overflow) Overview: = SQLXML allows XML data to be transferred to and from SQL Server, returning database queries as XML. SQlXML has two vulnerabilities: a buffer overflow in the SQLXML ISAPI filter, and a cross site scripting vulnerability. More complete details on how SQLXML works can be found in Microsoft's advisory (see below). Details: Cross Site Scripting Part of the functionality of SQLXML is being able to run SQL queries via a URL such as: IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XML This will return an XML document containing the query results. It is possible to specify an extra parameter in the query, 'root', which returns the data as above, but with a 'root' tag of the xml document as the user specified. This feature can be used to perform cross site scripting attacks against the web application running on the server: IIS-server/Northwind?sql=SELECT+contactname,+phone+FROM+Customers+FOR+XMLro ot=SCRIPTalert(document.domain)/SCRIPT Best practice recommends against allowing ad hoc URL queries against a database. SQLXML ISAPI Filter Buffer Overflow --- When making SQL queries using the 'sql=' functionality of SQLXML it is possible to specify certain parameters which affect the returned XML (e.g. xsl=). One of these parameters lets you set a content-type. It's possible to crash IIS by requesting an overly long string in the ?contenttype= parameter. This could also allow arbitrary code to be run on the server in the context of the SYSTEM account. A normal request looks like (in this case, a direct sql= query): IIS-server/demos?sql=select+*+from+Customers+as+Customer+FOR+XML+autoroot=r ootxsl=custtable.xslcontenttype=text/html By specifying 240 characters for the content-type parameter it is possible to make inetinfo.exe crash. E.g. (using a 'template' file rather than a direct query, in this case): IIS-Server/Nwind/Template/catalog.xml?contenttype=text/...AAA Patch Information: -- Microsoft has released patches and an advisory for the identified issues. These are available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-030.asp This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0007.txt
Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1
Westpoint Security Advisory Title: Multiple vulnerabilities in NewAtlanta ServletExec ISAPI 4.1 Risk Rating:High Software: ServletExec 4.1 ISAPI / IIS 4 5 Platforms: Win2k / WinNT 4 Vendor URL: www.newatlanta.com Author: Matt Moore [EMAIL PROTECTED] Date: 22 May 2002 Advisory ID#: wp-02-0006.txt Overview: = ServletExec 4.1 ISAPI is a Java Servlet/JSP Engine for Internet Information Server and is implemented as an ISAPI filter. The JSP functionality is provided by a servlet which is enabled by default and contains three security flaws. Details: 1. ServletExec discloses physical path of webroot = It is possible to invoke the class 'com.newatlanta.servletexec.JSP10Servlet' directly by requesting a url such as: /servlet/com.newatlanta.servletexec.JSP10Servlet/ If no filename is supplied to it, then it returns an error message: Error. The file was not found. (filename = f:\inetpub\wwwroot\servlet\com.newatlanta.servletexec.JSP10Servlet\) disclosing the physical path of the web root. 2. JSP10Servlet allows files to be read from within IIS webroot === By invoking the JSP10Servlet (or simply JSPServlet) using the URL described above, it is possible to read files from within the web root. It did not appear to be possible to 'break out' of the web root and read files from other parts of the file system. The path must be URL encoded for this to work. For instance, a request such as /servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5c\global.asa will retrieve the global.asa file, which is normally not served. 3. DoS via overly long request for .JSP file By making a request for an overly long named .jsp file, Internet Information Server can be crashed. The denial of service condition can be triggered by either requesting an overly long named .jsp file: i.e. /servlet/AAAAA.jsp or by invoking the JSPServlet or JSP10Servlet directly: or/servlet/com.newatlanta.servletexec.JSPServlet/ Patch Information: == There is a workaround for the physical path disclosure bug, which should be in the FAQ's at http://www.newatlanta.com/products/servletexec/self_help/faq_list.jsp The other issues are fixed in Patch #9 from ftp://ftp.newatlanta.com/public/4_1/patches/ Additional Information == Nessus plugins are available to test for the vulnerabilities identified above, from www.nessus.org: servletExec_DoS.nasl (ID 10958) ServletExec_File_Reading.nasl (ID 10959) ServletExec_path_disclosure.nasl (ID 10960) www.westpoint.ltd.uk/advisories/wp-02-0006.txt