InstantServers MiniPortal Multiple Vulnerabilities

From: Strumpf Noir Society (vuln-devat_private)
Date: Sat Feb 09 2002 - 13:48:35 PST

Next message: Colby Marks: "RE: Security Advisory - #1"

Previous message: Tom Gilder: "MSN Messenger Hijacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Strumpf Noir Society Advisories
! Public release !
<--#


-= InstantServers MiniPortal Multiple Vulnerabilities =-

Release date: Saturday, February 9, 2002


Introduction:

InstantServers' MiniPortal provides a complete solution for fast
and easy web site hosting on a Windows PC. It features a (Apache-
based) HTTP server as well as a FTP server by default.

MiniPortal is available from vendor InstantServers' website:
http://www.instantservers.com


Problem(s):

The FTP server coming with MiniPortal contains multiple 
vulnerabilities which could be exploited by an attacker to obtain 
user account information, read access to any file on the local HD 
and which could lead to arbitrary code execution.


MiniPortal Plaintext Account and Session Data

MiniPortal stores its account information in plaintext .pwd files
in the miniportal/apache directory. Also, full login and session 
data is stored plaintext in the file miniportal/mplog.txt. Through
either physical access to the system or by abusing below described
directory traversal problem, elevated privileges could be obtained
on the system in question by retrieving these files.


MiniPortal Directory Traversal Vulnerability

The FTP server supplied with MiniPortal does not properly restrict
access to files outside of the user directory. By using a 'triple 
dot' notation ('.../file.ext') an attacker can break out of this 
directory and obtain read access to any file on the local disk. 

(This vulnerability only seems to work on WinNT/Win2k server systems,
a discussion in regards to why this is is still going on on the
vuln-dev list :)


MiniPortal Login Buffer Overflow Vulnerability

Due to improper bounds checking, a buffer overflow condition is in
existence in one of the logging routines of said FTP server. This
can be exploited by supplying the server with overly long (>4093
bytes) input at login. Besides crashing the FTP server, this can be
exploited to execute arbitrary code on the system.


(..)


Solution:

Vendor has been notified and has made version MiniPortal v1.1.6
available, which supplies fixes/workarounds for these issues.

This was tested against MiniPortal v1.1.5 on Win2k.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Next message: Colby Marks: "RE: Security Advisory - #1"
Previous message: Tom Gilder: "MSN Messenger Hijacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 09 2002 - 14:36:31 PST