####################################################################### Auriemma Luigi, PivX security advisory Application: Savant webserver (http://savant.sourceforge.net) Version: 3.1 and possibly previous versions Bug: Buffer overflow in cgitest, crash with negative Content-Length and bad chars usage Risk (medium): Remote DoS and authorization bypassing (the risk is between medium and high) Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC e-mail: aluigi@pivx.com web: http://www.pivx.com/luigi ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy _______________________________________________________________________ 1) Introduction =============== Savant webserver is an OpenSource webserver that runs on Win32. It's a very interesting server but has some security issues a lot being old unpatched bugs. One of these, for example, is a directory traversal bug that has been founded on 2.1 version but seems to still exist on this 3.1 (over a year ago!). Unfortunally I have contacted the vendor two times from August the 23rd but I have not yet received a response. _______________________________________________________________________ 2) Bug ====== A] Cgitest.exe overflow ----------------------- The cgitest.exe program that is inserted by default in the cgi-bin directory is vulnerable to a buffer-overflow. The limit of acceptable characters is 128 so we need to send only 136 bytes for overwrite EBP and EIP registers and crash the server. I don't think is possible to write a good shellcode in this case because the bytes that go into the stack are few, however an interesting and simple thing is to point the EIP register to KERNEL32.DLL->ReadFile, because the server will crash totally and the administrator will get a nice blue screen (tested on Win9x). During the blue screen the port 80 will stay opened but the server will not answers to client requests. B] Content-Length crash ----------------------- A nice DoS is the negative Content-Length value. The value that Savant waits from the user is an integer and when the attacker sends a negative number the server will crash. However until the Windows error message is not acknowledged the server will continue to run without problems. C] Authorization bypassing -------------------------- Uhmm the usual Win32 API problem is again our best friend and this time it gives us access to all of the user folders in Savant server. So adding the chars ' ' (%20) and '.' (%2e) at the end of the filename requested we will gain full access to the password protected folders. The other good news is that the limit of the network class is authorized to access to the folder can be bypassed without problems with this method (so if the admin has a set class D only access, the attacker with any IP have full access without respecting this limit). Note: if we want to use the space (' ') char, we must add also the '/' char after it. _______________________________________________________________________ 3) The Code =========== A] Cgitest.exe overflow ----------------------- Check my web page for a tiny example that causes a blue screen and server crash (so crash all the server and not only the single connection). I have simply written the EIP 00409430 (that point to KERNEL32.DLL->ReadFile but you can use KERNEL32.DLL->WriteFile too) for having a bad DoS that crashes the server and give blue screen. Usage: nc <host> 80 -v -v -n < savant-cgitest.txt http://www.pivx.com/luigi/poc/savant-cgitest.txt B] Content-Length crash ----------------------- GET / HTTP/1.0 Content-Length: -1 C] Authorization bypassing -------------------------- http://host/password_folder. "GET /password_folder / HTTP/1.0" <-- use with telnet http://host/password_folder%2e http://host/password_folder%20 _______________________________________________________________________ 4) Fix ====== No fix available. Check the Savant website for updates: http://savant.sourceforge.net _______________________________________________________________________ 5) Philosophy ============= I'm really hopeful about the FULL-DISCLOSURE policy, because with it "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of creative programming (I have learned a bit of interesting C from the source code of some published exploits under this policy) and it's useful for all the people that are hopeful in this type of disclosure. No secrets! _______________________________________________________________________ About PivX Solutions PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary Risk and Vulnerability Assessment (RAVA). Dedicated PivX founders have also developed the patented Invisiwall network security device which offers the most comprehensive and secure intrusion detection system available. For more information go to http://www.PivX.com Any type of feedback is really welcome! BYEZ --- Pivx Security Researcher
