Aprelium Abyss webserver X1 arbitrary code execution and header injection

From: Fozzy (fozzyat_private)
Date: Sun Jun 29 2003 - 16:43:14 PDT

Next message: morning_wood: "Megabook 2.0 -XSS & UA execution"

Previous message: morning_wood: "[Full-Disclosure] Megabook 2.0 -XSS & UA execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--[ Description ]--

Abyss Web Server is a free, closed-source, personal web server
for Windows and Linux operating systems.
Homepage : http://www.aprelium.com

The Hackademy Audit team has found two remote security holes in
Abyss Webserver X1, allowing arbitrary code execution and header
injection.


--[ Details ]--

1/ Remotely exploitable heap buffer overflow.
---------------------------------------------

A buffer of length 0x800 is allocated on the heap. An unchecked call to
strcpy() can overflow this buffer with a string of almost arbitrary
length and content which is given by a malicious attacker.
The request leading to the overflow is the following. The important part
is the two characters ":\" at the end of the requested URL :

GET /AAAAAA[...]AAAA:\ HTTP/1.0

Impact
------

Arbitrary code can be executed on the machine running Abyss
Webserver X1 with the priviledges of the user running the server.
This issue is not theoretical : we wrote a functional exploit, without
need for offset guessing or brute forcing, which works on Windows 2000
and XP (any SP).


2/ Header injection vulnerability.
----------------------------------

With the same type of request a 302 HTTP code is returned by Abyss X1.
The Location header sent by the server contains the URL initially
requested, but with %xx decoded to ASCII values. Embedding %0D, %0A, and
%20 codes into the URL is allowed, meaning HTTP headers can be added.

Impact
------

This can lead to XSS issues, setting arbitrary cookies, etc.


--[ Vulnerable/Patched Versions ]--

Version 1.1.2 (and probably lower versions) are vulnerable.
Version 1.1.6 beta gives Special Thanks to our bug reporting, so it should be
fixed.
it is unclear whether version 1.1.4 has all these bugs or only one of them. Although
the heap overflow can't be triggered by the method we mention here, Aprelium did 
not confirmed that is was fixed in this version, and we did not investigate the issue
further on this version.


--[ Greetings ]--

Many thanks to Daniel Dupard for running a Win2k hacking contest with
Abyss Webserver. I completed the first part of the challenge (executing
arbitrary code on the machine) by writing an exploit for the heap overflow
vulnerability.


-- Fozzy

The Hackademy School, Journal & Audit
http://www.thehackademy.net/

Next message: morning_wood: "Megabook 2.0 -XSS & UA execution"
Previous message: morning_wood: "[Full-Disclosure] Megabook 2.0 -XSS & UA execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 11:53:41 PDT